Slide 1

Slide 1 text

1 | © 2019 Palo Alto Networks. All Rights Reserved. Liron Levin Chief software architect, Prisma Cloud Compute Writing dynamic admission controllers from scratch

Slide 2

Slide 2 text

$ whoami Chief architect @ prisma cloud compute Phd distributed systems Open source contributor

Slide 3

Slide 3 text

Today • Learn about admission controllers

Slide 4

Slide 4 text

Today • Learn about admission controllers • Learn about dynamic admission controllers

Slide 5

Slide 5 text

Today • Learn about admission controllers • Learn about dynamic admission controllers • Write and deploy a custom dynamic admission controller from scratch

Slide 6

Slide 6 text

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent.

Slide 7

Slide 7 text

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver

Slide 8

Slide 8 text

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Create Pod

Slide 9

Slide 9 text

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Create Pod

Slide 10

Slide 10 text

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Create Pod

Slide 11

Slide 11 text

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Create Pod

Slide 12

Slide 12 text

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Create Pod

Slide 13

Slide 13 text

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

Slide 14

Slide 14 text

Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins

Slide 15

Slide 15 text

Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins • --enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota)

Slide 16

Slide 16 text

Common Admission Controllers

Slide 17

Slide 17 text

Common Admission Controllers • AlwaysPullImages - Modifies every new Pod to force the image pull policy to Always

Slide 18

Slide 18 text

Common Admission Controllers • AlwaysPullImages - Modifies every new Pod to force the image pull policy to Always • LimitRanger This admission controller will observe the incoming request and ensure that it does not violate any of the constraints enumerated in the LimitRange object in a Namespace

Slide 19

Slide 19 text

Admission controller webhooks

Slide 20

Slide 20 text

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them

Slide 21

Slide 21 text

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

Slide 22

Slide 22 text

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Create Pod

Slide 23

Slide 23 text

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

Slide 24

Slide 24 text

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

Slide 25

Slide 25 text

Motivation

Slide 26

Slide 26 text

Motivation • Custom security policies (CIS)

Slide 27

Slide 27 text

Motivation • Custom security policies (CIS) • Sidecar injection

Slide 28

Slide 28 text

Let’s code

Slide 29

Slide 29 text

29 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates

Slide 30

Slide 30 text

30 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller

Slide 31

Slide 31 text

31 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image

Slide 32

Slide 32 text

32 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s

Slide 33

Slide 33 text

33 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s 5 Configure and test

Slide 34

Slide 34 text

Come hear our talk! Binary Authorization in Kubernetes Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Wednesday, November 20 • 10:55am - 11:30am