Kubernetes API Codebase Tour

API Codebase Tour Stefan Schimanski / @the_sttts / Red Hat
Hacking the kube-apiserver

Defining API types

v1alpha1 types: staging/src/k8s.io/api/auditregistration/v1alpha1 • types.go – actual Golang types (with
JSON and Proto tags) • register.go – registration code: AddToScheme internal types: pkg/apis/auditregistration • types.go – internal (hub) Golang types (without JSON/Proto) • register.go – registration code: AddToScheme Installer: pkg/apis/auditregistration/install: func Install(scheme *runtime.Scheme) Golang types

Scheme: register Golang types & Golang funcs w/ GroupVersionKind k8s.io/apimachinery/pkg/runtime.Scheme
GroupVersionKinds conversions defaulters reflect.Type Scheme Codec

v1alpha1 types: staging/src/k8s.io/api/auditregistration/v1alpha1 • types.go – actual Golang types (with
JSON and Proto tags) • register.go – registration code: AddToScheme internal types: pkg/apis/auditregistration • types.go – internal (hub) Golang types (without JSON/Proto) • register.go – registration code: AddToScheme Installer: pkg/apis/auditregistration/install: func Install(scheme *runtime.Scheme) Golang types

Conversions: pkg/apis/auditregistration/v1alpha1 • conversion.go – custom conversions • zz_generated.conversion.go –
generated conversions Defaults: zz_generated_defaults.go DeepCopy: zz_generated_deepcopy.go Generated Code not in k8s.io/api!

Serving the API

apiserver binary generic apiserver in k8s.io/apiserver 404 authentication authorization impersonation
panic recovery request-timeout audit max-in-flight handler chain mux data flow calls back to knows no API groups yet Scheme empty /version /apis /openapi/v2 /swagger.json /healthz /metrics

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { handler := genericapifilters.WithAuthorization(apiHandler,
...) handler = genericfilters.WithMaxInFlightLimit(handler, ...) handler = genericapifilters.WithImpersonation(handler, ...) handler = genericapifilters.WithAudit(handler, ...) failedHandler := genericapifilters.Unauthorized(...) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, ...) handler = genericapifilters.WithAuthentication(handler, ..., failedHandler, ...) handler = genericfilters.WithCORS(handler, ...) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, ...) handler = genericfilters.WithWaitGroup(handler, ...) handler = genericapifilters.WithRequestInfo(handler, ...) handler = genericfilters.WithPanicRecovery(handler) return handler } k8s.io/apiserver/pkg/server/config.go

kube-apiserver generic apiserver 404 authentication authorization impersonation panic recovery request-timeout
audit max-in-flight handler chain mux data flow calls back to knows no API groups yet Scheme /version /apis /openapi/v2 /swagger.json /healthz /metrics core/v1 Pod core/v1 Pod core/v1 Pod

kube-apiserver apiserver 404 resource handler request conversion & defaulting REST
logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain mux data flow calls back to Scheme core/v1 Pod core/v1 Pod core/v1 Pod via InstallAPIGroup(info)

kube-apiserver apiserver resource handler resource handler 404 resource handler request
conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to mux no storage logic yet

kube-apiserver apiserver resource handler resource handler 404 etcd resource handler
request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to

request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to v1 v1 v1 int int v1 int v1 int v2 v1 int int v1 hub/internal version

request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to conversions defaulting

kube-apiserver CRDs aggregator kube- aggregator & CRDs apiserver resource handler
resource handler 404 etcd aggregated apiservers resource handler request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to

kube-apiserver kube- aggregator apiserver resource handler resource handler 404 etcd
aggregated apiservers resource handler request conversion & defaulting storage conversion & defaulting REST logic result conversion validation admission decoding GET CREATE LIST UPDATE DELETE WATCH PATCH encoding mutating webhooks validating webhooks authentication authorization impersonation panic recovery request-timeout audit max-in-flight handler chain API Group “core” API Group “core” API Group “core” PodStorage PodStorage PodStorage Generic Registry Pod Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... mux Scheme core/v1 Pod core/v1 Pod core/v1 Pod data flow calls back to pkg/registry pkg/apis + k8s.io/api k8s.io/apiserver/pkg/endpoints/handlers k8s.io/apiserver/pkg/admission k8s.io/apiserver/plugin/pkg/admission plugins/pkg/admission k8s.io/apiserver/pkg/endpoints/filters k8s.io/kube-aggregator k8s.io/apiextensions-apiserver k8s.io/apiserver/pkg/storage/etcd3 k8s.io/apiserver/pkg/registry/generic

API Group “core” API Group “core” API Group “auditregistration.k8s.io” PodStorage
PodStorage AuditSinkStorage Generic Registry AuditSink Strategy - PrepareForUpdate - PrepareForCreate - Validate ... create update ... staging/src/k8s.io/apiserver/pkg/registry/generic/registry pkg/apis/auditregistration/validation “The registry” of a resource

Plumbing into kube-apiserver pkg/master/import_known_versions.go import ( _ "k8s.io/kubernetes/pkg/apis/auditregistration/install" ) pkg/master/master.go
import ( auditregistrationrest "k8s.io/kubernetes/pkg/registry/auditregistration/rest" ) restStorageProviders := []RESTStorageProvider{ auditregistrationrest.RESTStorageProvider{}, autoscalingrest.RESTStorageProvider{}, … } apiserver.InstallAPIs(…, restStorageProviders…) legacyscheme.Scheme installs handlers into the mux func init()

Build system plumbing • hack/.golint_failures ignore lint errors due to
generated code • hack/lib/init.sh add to KUBE_AVAILABLE_GROUP_VERSIONS, used by many hack/ scripts • hack/update-generated-protobuf-dockerized.sh generate Protobuf code, independent from KUBE_AVAILABLE_GROUP_VERSIONS for some reason

$ make WHAT=cmd/hyperkube $ RUNTIME_CONFIG=auditregistration.k8s.io/v1alpha1=true \ hack/local-up-cluster.sh $ kubectl get
--raw /apis | grep auditregistration.k8s.io

Live Debugging

Live Debugging * perfectly written down in xmudrii’s https://xmudrii.com/posts/debugging-kubernetes/ *

@lavalamp’s “Live API Code Review” after the break

Kubernetes API Codebase Tour

Kubernetes API Codebase Tour

Dr. Stefan Schimanski

More Decks by Dr. Stefan Schimanski

Other Decks in Technology

Featured

Transcript

API Codebase Tour Stefan Schimanski / @the_sttts / Red Hat

Defining API types

v1alpha1 types: staging/src/k8s.io/api/auditregistration/v1alpha1 • types.go – actual Golang types (with

Scheme: register Golang types & Golang funcs w/ GroupVersionKind k8s.io/apimachinery/pkg/runtime.Scheme

v1alpha1 types: staging/src/k8s.io/api/auditregistration/v1alpha1 • types.go – actual Golang types (with

Conversions: pkg/apis/auditregistration/v1alpha1 • conversion.go – custom conversions • zz_generated.conversion.go –

Serving the API

apiserver binary generic apiserver in k8s.io/apiserver 404 authentication authorization impersonation

apiserver binary generic apiserver in k8s.io/apiserver 404 authentication authorization impersonation

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { handler := genericapifilters.WithAuthorization(apiHandler,

kube-apiserver generic apiserver 404 authentication authorization impersonation panic recovery request-timeout

kube-apiserver apiserver 404 resource handler request conversion & defaulting REST

kube-apiserver apiserver resource handler resource handler 404 resource handler request

kube-apiserver apiserver resource handler resource handler 404 etcd resource handler

kube-apiserver apiserver resource handler resource handler 404 etcd resource handler

kube-apiserver apiserver resource handler resource handler 404 etcd resource handler

kube-apiserver CRDs aggregator kube- aggregator & CRDs apiserver resource handler

kube-apiserver kube- aggregator apiserver resource handler resource handler 404 etcd

API Group “core” API Group “core” API Group “auditregistration.k8s.io” PodStorage

Plumbing into kube-apiserver pkg/master/import_known_versions.go import ( _ "k8s.io/kubernetes/pkg/apis/auditregistration/install" ) pkg/master/master.go

Build system plumbing • hack/.golint_failures ignore lint errors due to

$ make WHAT=cmd/hyperkube $ RUNTIME_CONFIG=auditregistration.k8s.io/v1alpha1=true \ hack/local-up-cluster.sh $ kubectl get

Live Debugging

kube-apiserver CRDs aggregator kube- aggregator & CRDs apiserver resource handler

Live Debugging * perfectly written down in xmudrii’s https://xmudrii.com/posts/debugging-kubernetes/ *

kube-apiserver CRDs aggregator kube- aggregator & CRDs apiserver resource handler

@lavalamp’s “Live API Code Review” after the break