Add Admission Control for Karmada Operator

charts/karmada-operator/templates/karmada-operator-deployment.yaml

@@ -5,11 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels: {{- include "common.labels.standard" . | nindent 4 }}
     app: {{ include "karmada.operator.fullname" . }}
-    {{- if .Values.commonLabels }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- if .Values.operator.labels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.operator.labels "context" $ ) | nindent 4 }}
     {{- end }}
-  {{- if .Values.commonAnnotations }}
-  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- if .Values.operator.annotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.operator.annotations "context" $ ) | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{  .Values.operator.replicaCount }}
@@ -27,33 +27,40 @@ spec:
       {{- end }}
       labels: {{- include "common.labels.standard" . | nindent 8 }}
         app: {{ include "karmada.operator.fullname" . }}
-        {{- if .Values.podLabels }}
+        {{- if .Values.operator.podLabels }}
         {{- include "common.tplvalues.render" (dict "value" .Values.operator.podLabels "context" $) | nindent 8 }}
         {{- end }}
     spec:
       {{- include "karmada.operator.imagePullSecrets" . | indent 6 }}
       containers:
-      - name: {{ include "karmada.operator.fullname" . }}
-        image: {{ template "karmada.operator.image" . }}
-        imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
-        ports:
-        - containerPort: 8080
-          name: metrics
-          protocol: TCP
-        command:
-        - /bin/karmada-operator
-        - --leader-elect-resource-namespace={{ .Release.Namespace }}
-        - --v=2
+        - name: {{ include "karmada.operator.fullname" . }}
+          image: {{ template "karmada.operator.image" . }}
+          imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
+          ports:
+            - containerPort: 8080
+              name: metrics
+              protocol: TCP
+            - containerPort: 9443
+              name: webhook
+              protocol: TCP
+          command:
+            - /bin/karmada-operator
+            - --leader-elect-resource-namespace={{ .Release.Namespace }}
+            - --v=2
         {{- range .Values.operator.extraArgs }}
-        - {{ . }}
+            - {{ . }}
         {{- end }}
         {{- with .Values.operator.env }}
-        env:
+          env:
         {{- toYaml . | nindent 10 }}
         {{- end }}
         {{- if .Values.operator.resources }}
-        resources: {{- toYaml .Values.operator.resources | nindent 12 }}
+          resources: {{- toYaml .Values.operator.resources | nindent 12 }}
         {{- end }}
+          volumeMounts:
+            - name: karmada-operator-webhook-cert
+              mountPath: /tmp/k8s-webhook-server/serving-certs
+              readOnly: true
       serviceAccountName: {{ include "karmada.operator.fullname" . }}
       {{- if .Values.operator.affinity }}
       affinity: {{- include "common.tplvalues.render" (dict "value" .Values.operator.affinity "context" $) | nindent 8 }}
@@ -64,3 +71,7 @@ spec:
       {{- if .Values.operator.tolerations }}
       tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.operator.tolerations "context" $) | nindent 8 }}
       {{- end }}
+      volumes:
+        - name: karmada-operator-webhook-cert
+          secret:
+            secretName: karmada-operator-webhook-cert

charts/karmada-operator/templates/webhook-cert.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: karmada-operator-webhook-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: karmada-operator-webhook-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: karmada-operator-webhook-cert
+  issuerRef:
+    kind: Issuer
+    name: karmada-operator-webhook-cert
+  dnsNames:
+    - karmada-operator-webhook
+    - karmada-operator-webhook.{{ .Release.Namespace }}
+    - karmada-operator-webhook.{{ .Release.Namespace }}.svc
+    - karmada-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local
+
+

charts/karmada-operator/templates/webhook-configs.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: karmada-mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/karmada-operator-webhook-cert
+webhooks:
+  - name: karmada-v1alpha1.kb.io
+    admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: karmada-operator-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-operator-karmada-io-v1alpha1-karmada
+    failurePolicy: Fail
+    sideEffects: None
+    rules:
+      - apiGroups: ["operator.karmada.io"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE","UPDATE"]
+        resources: ["karmadas"]
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: karmada-validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/karmada-operator-webhook-cert
+webhooks:
+  - name: karmada-v1alpha1.kb.io
+    admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: karmada-operator-webhook
+        namespace: {{ .Release.Namespace }}
+        path: /validate-operator-karmada-io-v1alpha1-karmada
+    failurePolicy: Fail
+    sideEffects: None
+    rules:
+      - apiGroups: ["operator.karmada.io"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE","UPDATE"]
+        resources: ["karmadas"]
+

charts/karmada-operator/templates/webhook-service.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: karmada-operator-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "karmada.operator.fullname" . }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: webhook
+      port: 443
+      targetPort: webhook
+      protocol: TCP
+  selector:
+    app: {{ include "karmada.operator.fullname" . }}
+

charts/karmada-operator/values.yaml

@@ -39,6 +39,8 @@ kubectl:
 operator:
   ## @param operator.labels
   labels: {}
+  ## @param operator.annotations Operator deployment annotations
+  annotations: {}
   ## @param operator.replicaCount target replicas
   replicaCount: 1
   ## @param operator.podAnnotations

hack/deploy-karmada-operator.sh

@@ -60,14 +60,14 @@ kind load docker-image "${REGISTRY}/karmada-operator:${VERSION}" --name="${CONTE
 # create namespace `karmada-system`
 kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/namespace.yaml"
 
-# install Karmada operator crds
-kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f operator/config/crds/
+# deploy karmada-operator using Helm
+echo "Installing Karmada operator using Helm"
+cd "${REPO_ROOT}/charts/karmada-operator"
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm dependency build
+helm --kubeconfig "${KUBECONFIG}" --kube-context "${CONTEXT_NAME}" install --namespace ${KARMADA_SYSTEM_NAMESPACE} karmada-operator .
+cd -
 
-# deploy karmada-operator
-kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f "${REPO_ROOT}/operator/config/deploy/karmada-operator-clusterrole.yaml"
-kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f "${REPO_ROOT}/operator/config/deploy/karmada-operator-clusterrolebinding.yaml"
-kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f "${REPO_ROOT}/operator/config/deploy/karmada-operator-serviceaccount.yaml"
-kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" apply -f "${REPO_ROOT}/operator/config/deploy/karmada-operator-deployment.yaml"
-
-# wait karmada-operator ready
+# Await Karmada operator ready status
 kubectl --kubeconfig="${KUBECONFIG}" --context="${CONTEXT_NAME}" wait --for=condition=Ready --timeout=30s pods -l app.kubernetes.io/name=karmada-operator -n ${KARMADA_SYSTEM_NAMESPACE}
+echo "Successfully installed Karmada operator using Helm."

hack/local-up-karmada-by-operator.sh

@@ -88,6 +88,9 @@ OPERATOR_POD_NAME=$(kubectl --kubeconfig="${MAIN_KUBECONFIG}" --context="${HOST_
 kubectl --kubeconfig="${MAIN_KUBECONFIG}" --context="${HOST_CLUSTER_NAME}" exec -i ${OPERATOR_POD_NAME} -n ${KARMADA_SYSTEM_NAMESPACE} -- mkdir -p ${CRD_CACHE_DIR}
 kubectl --kubeconfig="${MAIN_KUBECONFIG}" --context="${HOST_CLUSTER_NAME}" cp ${REPO_ROOT}/crds.tar.gz ${KARMADA_SYSTEM_NAMESPACE}/${OPERATOR_POD_NAME}:${CRD_CACHE_DIR}
 
+echo "Installing cert-manager in host cluster"
+kubectl --kubeconfig="${MAIN_KUBECONFIG}" --context="${HOST_CLUSTER_NAME}" apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.0/cert-manager.yaml
+
 # step3.3 install karmada instance
 "${REPO_ROOT}"/hack/deploy-karmada-by-operator.sh "${MAIN_KUBECONFIG}" "${HOST_CLUSTER_NAME}" "${KARMADA_APISERVER_CLUSTER_NAME}" "latest" true "${CRDTARBALL_URL}"
 

hack/setup-dev-base.sh

@@ -82,6 +82,15 @@ else
   util::install_kubectl "" "${BS_ARCH}" "${BS_OS}"
 fi
 
+# install helm
+echo -n "Preparing: 'helm' existence check - "
+if util::cmd_exist helm; then
+  echo "passed"
+else
+  echo "installing helm"
+  util::install_helm
+fi
+
 #step1. create host cluster and member clusters in parallel
 # host IP address: script parameter ahead of WSL2 or macOS IP
 if [[ -z "${HOST_IPADDRESS}" ]]; then
@@ -114,6 +123,7 @@ if [[ -n "${HOST_IPADDRESS}" ]]; then # If bind the port of clusters(karmada-hos
 else
   util::create_cluster "${HOST_CLUSTER_NAME}" "${MAIN_KUBECONFIG}" "${CLUSTER_VERSION}" "${KIND_LOG_FILE}"
 fi
+
 util::create_cluster "${MEMBER_CLUSTER_1_NAME}" "${MEMBER_CLUSTER_1_TMP_CONFIG}" "${CLUSTER_VERSION}" "${KIND_LOG_FILE}" "${TEMP_PATH}"/member1.yaml
 util::create_cluster "${MEMBER_CLUSTER_2_NAME}" "${MEMBER_CLUSTER_2_TMP_CONFIG}" "${CLUSTER_VERSION}" "${KIND_LOG_FILE}" "${TEMP_PATH}"/member2.yaml
 util::create_cluster "${PULL_MODE_CLUSTER_NAME}" "${PULL_MODE_CLUSTER_TMP_CONFIG}" "${CLUSTER_VERSION}" "${KIND_LOG_FILE}" "${TEMP_PATH}"/member3.yaml
@@ -137,6 +147,9 @@ util::check_clusters_ready "${MEMBER_CLUSTER_1_TMP_CONFIG}" "${MEMBER_CLUSTER_1_
 util::check_clusters_ready "${MEMBER_CLUSTER_2_TMP_CONFIG}" "${MEMBER_CLUSTER_2_NAME}"
 util::check_clusters_ready "${PULL_MODE_CLUSTER_TMP_CONFIG}" "${PULL_MODE_CLUSTER_NAME}"
 
+echo "Installing cert-manager in host cluster..."
+kubectl --kubeconfig="${MAIN_KUBECONFIG}" --context="${HOST_CLUSTER_NAME}" apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.0/cert-manager.yaml
+
 #step4. load components images to kind cluster
 if [[ "${BUILD_FROM_SOURCE}" == "true" ]]; then
   # host cluster

operator/README.md

@@ -19,6 +19,11 @@ This section describes how to install `karmada-operator` and create a Karmada in
 - Kubernetes 1.16+
 - Helm v3+
 
+### Install `cert-manager`
+
+`cert-manager` is used to provision and manage the certificate for the operator's webhook server. Please follow [these instructions](https://cert-manager.io/docs/installation/) to download `cert-manager` on the host cluster
+where the Karmada operator is to be installed.
+
 ### Deploy `karmada-operator`
 
 #### Helm install

operator/cmd/operator/app/operator.go

@@ -38,6 +38,7 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	"github.com/karmada-io/karmada/operator/cmd/operator/app/options"
+	"github.com/karmada-io/karmada/operator/internal/webhook/v1alpha1"
 	operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1"
 	ctrlctx "github.com/karmada-io/karmada/operator/pkg/controller/context"
 	"github.com/karmada-io/karmada/operator/pkg/controller/karmada"
@@ -79,6 +80,13 @@ func NewOperatorCommand(ctx context.Context) *cobra.Command {
 				return err
 			}
 			logs.InitLogs()
+
+			// Starting from version 0.15.0, controller-runtime expects its consumers to set a logger through log.SetLogger.
+			// If SetLogger is not called within the first 30 seconds of a binaries lifetime, it will get
+			// set to a NullLogSink and report an error. Here's to silence the "log.SetLogger(...) was never called; logs will not be displayed" error
+			// by setting a logger through log.SetLogger.
+			// More info refer to: https://github.com/karmada-io/karmada/pull/4885.
+			controllerruntime.SetLogger(klog.Background())
 			return nil
 		},
 		RunE: func(_ *cobra.Command, _ []string) error {
@@ -116,6 +124,13 @@ func Run(ctx context.Context, o *options.Options) error {
 		return err
 	}
 
+	klog.Info("Registering admission webhooks with the controller manager")
+	err = v1alpha1.SetupKarmadaWebhookWithManager(manager)
+	if err != nil {
+		klog.Errorf("Failed to setup karmada-operator webhook: %v", err)
+		return err
+	}
+
 	if err := manager.AddHealthzCheck("ping", healthz.Ping); err != nil {
 		klog.Errorf("Failed to add health check endpoint: %v", err)
 		return err