• Stars
    star
    343
  • Rank 123,371 (Top 3 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes sidecar injection service

k8s-sidecar-injector

Uses MutatingAdmissionWebhook in Kubernetes to inject sidecars into new deployments at resource creation time

GitHub release Travis (.org) Docker Automated build Docker Build Status MicroBadger Size Docker Pulls Docker Stars Godoc

What is this?

At Tumblr, we run some containers that have complicated sidecar setups. A kubernetes pod may run 5+ other containers, with some associated volumes and environment variables. It became clear quickly that keeping these sidecars in line would become an operational hassle; making sure every service uses the correct version of each dependency, updating global environment variable sets as configurations in our DCs change, etc.

To help solve this, we wrote the k8s-sidecar-injector. It is a small service that runs in each Kubernetes cluster, and listens to the Kubernetes API via webhooks. For each pod creation, the injector gets a (mutating admission) webhook, asking whether or not to allow the pod launch, and if allowed, what changes we would like to make to it. For pods that have special annotations on them (i.e. injector.tumblr.com/request=logger:v1), we rewrite the pod configuration to include the containers, volumes, volume mounts, host aliases, init-containers and environment variables defined in the sidecar logger:v1's configuration.

This enabled us to keep sane, centralized configuration for oft-used, but infrequently cared about configuration for our sidecars.

Configuration

See /docs/configuration.md to get started with setting up your sidecar injector's configurations.

Deployment

See /docs/deployment.md to see what a sample deployment may look like for you!

How it works

  1. A pod is created. It has annotation injector.tumblr.com/request=logger:v1
  2. K8s webhooks out to this service, asking whether to allow this pod creation, and how to mutate it
  3. If the pod is annotated with injector.tumblr.com/status=injected: Do nothing! Return "allowed" to pod creation
  4. Pull the "logger:v1" sidecar config, patch the resource, and return it to k8s
  5. Pod will launch in k8s with the modified configuration

A crappy ASCII diagram will help :)

                                                                  +-----------------+
     +------------------------------+          +----------------+ |                 |
     |                              |          |                | |  Sidecar        |
     |   MutatingAdmissionWebhook   |          |   Sidecar      | |  configuration  |
     |                              |          |   ConfigMaps   | |  files on disk  |
     +------------+-----------------+          |                | |                 |
                  |                            +--------+-------+ +------+----------+
discover injector |                                     |                |
endpoints         |                    watch ConfigMaps |                | load from disk
                  |                                     |                |
          +-------v--------+    pod launch          +---v----------------v-----+
          |                +------------------------>                          |
          |   Kubernetes   |                        |   k8s-sidecar-injector   |
          |   API Server   <------------------------+                          |
          |                |    mutated pod spec    +--------------------------+
          +----------------+

Run

The image is build and published on the Hub at https://hub.docker.com/r/tumblr/k8s-sidecar-injector/. See /docs/deployment.md for how to run this in Kubernetes.

By hand

This needs some special configuration surrounding the TLS certs, but if you have already read docs/configuration.md, you can run this manually with:

$ ./bin/k8s-sidecar-injector --tls-port=9000 --config-directory=conf/ --tls-cert-file="${TLS_CERT_FILE}" --tls-key-file="${TLS_KEY_FILE}"

NOTE: this is not a supported method of running in production. You are highly encouraged to read docs/deployment.md to deploy this to Kubernetes in The Supported Way.

Hacking

See hacking.md

License

Apache 2.0

Copyright 2019, Tumblr, Inc.

More Repositories

1

Backboard

A motion-driven animation framework for Android.
Java
1,694
star
2

Graywater

An Android library for decomposing RecyclerView layouts to improve scroll performance.
Java
1,209
star
3

colossus

I/O and Microservice library for Scala
Scala
1,144
star
4

jetpants

MySQL toolkit for managing billions of rows and hundreds of database machines
Ruby
1,136
star
5

pytumblr

A Python Tumblr API v2 Client
Python
723
star
6

tumblr.js

JavaScript client for the Tumblr API
JavaScript
645
star
7

collins

groovy kind of love
Scala
572
star
8

Bookends

A UI widget for adding headers and footers to RecyclerView
Java
539
star
9

Remember

A preferences-backed key-value store
Java
523
star
10

policy

Tumblr policies and guidelines
453
star
11

laphs

Apple Live Photo support on the web, courtesy of Tumblr
JavaScript
447
star
12

TMTumblrSDK

Unopinionated and flexible library for easily integrating Tumblr data into your iOS or OS X application.
Objective-C
432
star
13

tumblr.php

Tumblr API v2 PHP Client
PHP
407
star
14

kanvas-ios

Kanvas: a creation tool for iOS
Swift
315
star
15

jumblr

Tumblr API v2 Java Client
Java
277
star
16

gocircuit

Go
237
star
17

genesis

A tool for data center automation
Ruby
156
star
18

docker-registry-pruner

Tool to apply retention logic to docker images in a Docker Registry
Go
127
star
19

data-lasso

JavaScript
119
star
20

docs

Tumblr's public platform documentation.
107
star
21

XExtensionItem

Easier sharing of structured data between iOS applications and share extensions
Objective-C
88
star
22

PermissMe

Java
75
star
23

webpack-web-app-manifest-plugin

A webpack plugin that generates a PWA manifest and integrates with the assets JSON.
JavaScript
75
star
24

k8s-secret-projector

Kubernetes Secret generation from secure credential repos
Go
72
star
25

k8s-config-projector

Create Kubernetes ConfigMaps from configuration files
Go
65
star
26

tumblrclient.go

This is a concrete implementation of the ClientInterface with additional convenience methods defined right on the client object
Go
42
star
27

go-collins

Collins API Client in Go - https://tumblr.github.io/collins
Go
41
star
28

tumblr.go

This is a library which provides structs and functions for accessing the Tumblr API
Go
37
star
29

JXHTTP

you know, for networking
Objective-C
25
star
30

Spectacles

A tiny library for parsing JSON podspecs.
Objective-C
23
star
31

gulp-css-hashes

JavaScript
18
star
32

tsd_proxy

Clojure
15
star
33

tumblr-repl

REPL for the Tumblr API, built on tumblr.js
JavaScript
12
star
34

collins_shell

Ruby
3
star
35

consolr

Ruby
1
star
36

chorus-timekeeper

DI with timekeeping.
PHP
1
star
37

collins_notify

Ruby
1
star
38

collins_client

Ruby
1
star
39

collins_auth

Ruby
1
star
40

slackr_archiver

Ruby
1
star