28.08.2024 Problem:
The customer upgraded their Kubernetes cluster from version 1.19 to 1.24.8. Following this upgrade, they lost access to the PodPreset feature, which was removed in Kubernetes version 1.20. The customer needed a replacement for this functionality and identified Admission Webhooks as a potential solution. However, despite following RedHat’s procedure for implementing Admission Webhooks, the customer was unable to achieve a successful implementation and required additional support.
Process:
Step 1: Initial Attempt
After the upgrade, the customer recognized that PodPreset had been deprecated and researched alternatives. They chose to explore Admission Webhooks, as suggested by RedHat. They carefully followed the procedure detailed in RedHat’s blog post (https://cloud.redhat.com/blog/a-podpreset-based-webhook-admission-controller) but did not succeed in replicating the functionality of PodPreset.
Step 2: Exploration of Alternatives
Realizing that Admission Webhooks alone were not yielding the desired results, the customer explored other options such as Kyverno and OPA/Gatekeeper. These tools allow the creation of custom admission controller webhooks. To demonstrate their approach, the customer provided an example involving a “test-pod.yaml” file, which created a POD with an init container, and a “kyverno” policy file that added a simple bash counter to the init container. They included detailed instructions for applying these configurations:
– Created a new namespace called “tests” using `kubectl create ns tests`.
– Applied the mutating policy with `kubectl apply -f mutating-policy.yaml`.
– Deployed the pod with `kubectl apply -f test-pod.yaml`.
– Verified the init container’s output using `kubectl logs mutating-test-pod -c init-myservice -n tests`.
Step 3: Troubleshooting and Support Request
Despite achieving a 70-80% success rate with Kyverno, they encountered issues specifically related to executing a Mutated hook on Init containers. They sought expert assistance to resolve these configuration challenges and awaited follow-up support as a part of another support ticket.
Solution:
The customer’s approach to addressing the issue included:
– Following RedHat’s procedure for Admission Webhooks: https://cloud.redhat.com/blog/a-podpreset-based-webhook-admission-controller.
– Exploring alternative solutions with Kyverno and OPA/Gatekeeper.
– Providing detailed examples and instructions for troubleshooting.
To resolve their issues, further expert support was necessary to fine-tune the configuration and ensure successful implementation of the Admission Webhooks or alternative solutions.
Conclusion:
The customer faced challenges after upgrading their Kubernetes cluster from version 1.19 to 1.24.8, particularly with the deprecation of the PodPreset feature. Despite exploring Admission Webhooks and alternative solutions like Kyverno and OPA/Gatekeeper, they were unable to fully replicate the desired functionality. Their efforts included following procedures, testing alternatives, and seeking expert assistance to troubleshoot and fine-tune their configurations.