Admission Webhooks from Scratch

Transcript

1. 1 | © 2019 Palo Alto Networks. All Rights Reserved.

   Liron Levin Chief software architect, Prisma Cloud Compute Writing dynamic admission controllers from scratch

2. $ whoami Chief architect @ prisma cloud compute Phd distributed

   systems Open source contributor

3. Today • Learn about admission controllers

4. Today • Learn about admission controllers • Learn about dynamic

   admission controllers

5. Today • Learn about admission controllers • Learn about dynamic

   admission controllers • Write and deploy a custom dynamic admission controller from scratch

6. Admission controller • Intercepts requests to the Kubernetes API server

   after the request is authenticated and authorized but before the object is persistent.

7. Admission controller • Intercepts requests to the Kubernetes API server

   after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver

8. Admission controller • Intercepts requests to the Kubernetes API server

   after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Create Pod

9. Admission controller • Intercepts requests to the Kubernetes API server

   after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Create Pod

10. Admission controller • Intercepts requests to the Kubernetes API server

    after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Create Pod

11. Admission controller • Intercepts requests to the Kubernetes API after

    the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Create Pod

12. Admission controller • Intercepts requests to the Kubernetes API after

    the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Create Pod

13. Admission controller • Intercepts requests to the Kubernetes API after

    the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

14. Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins

15. Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins •

    --enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota)

16. Common Admission Controllers

17. Common Admission Controllers • AlwaysPullImages - Modifies every new Pod

    to force the image pull policy to Always

18. Common Admission Controllers • AlwaysPullImages - Modifies every new Pod

    to force the image pull policy to Always • LimitRanger This admission controller will observe the incoming request and ensure that it does not violate any of the constraints enumerated in the LimitRange object in a Namespace

19. Admission controller webhooks

20. Admission controller webhooks • Admission webhooks are HTTP callbacks that

    receive admission requests and do something with them

21. Admission controller webhooks • Admission webhooks are HTTP callbacks that

    receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

22. Admission controller webhooks • Admission webhooks are HTTP callbacks that

    receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Create Pod

23. Admission controller webhooks • Admission webhooks are HTTP callbacks that

    receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

24. Admission controller webhooks • Admission webhooks are HTTP callbacks that

    receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

25. Motivation

26. Motivation • Custom security policies (CIS)

27. Motivation • Custom security policies (CIS) • Sidecar injection

28. Let’s code

29. 29 | © 2019 Palo Alto Networks. All Rights Reserved.

    1 Download dependencies and create certificates

30. 30 | © 2019 Palo Alto Networks. All Rights Reserved.

    1 Download dependencies and create certificates 2 Write the admission controller

31. 31 | © 2019 Palo Alto Networks. All Rights Reserved.

    1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image

32. 32 | © 2019 Palo Alto Networks. All Rights Reserved.

    1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s

33. 33 | © 2019 Palo Alto Networks. All Rights Reserved.

    1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s 5 Configure and test

34. Come hear our talk! Binary Authorization in Kubernetes Aysylu Greenberg,

    Google Liron Levin, Palo Alto Networks Wednesday, November 20 • 10:55am - 11:30am