1 | © 2019 Palo Alto Networks. All Rights Reserved. Liron Levin Chief software architect, Prisma Cloud Compute Writing dynamic admission controllers from scratch

$ whoami Chief architect @ prisma cloud compute Phd distributed systems Open source contributor

Today • Learn about admission controllers

Today • Learn about admission controllers • Learn about dynamic admission controllers

Today • Learn about admission controllers • Learn about dynamic admission controllers • Write and deploy a custom dynamic admission controller from scratch

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent.

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Create Pod

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Create Pod

Admission controller • Intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Create Pod

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Create Pod

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Create Pod

Admission controller • Intercepts requests to the Kubernetes API after the request is authenticated and authorized but before the object is persistent. • Compiled into kube-apiserver API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins

Admission Controller • $ kube-apiserver -h | grep enable-admission-plugins • --enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota)

Common Admission Controllers

Common Admission Controllers • AlwaysPullImages - Modifies every new Pod to force the image pull policy to Always

Common Admission Controllers • AlwaysPullImages - Modifies every new Pod to force the image pull policy to Always • LimitRanger This admission controller will observe the incoming request and ensure that it does not violate any of the constraints enumerated in the LimitRange object in a Namespace

Admission controller webhooks

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Create Pod

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Create Pod

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

Admission controller webhooks • Admission webhooks are HTTP callbacks that receive admission requests and do something with them API HTTP Handler Authentication Authorization Mutating admission Object schema validation Validating admission Persistent to etcd Mutating webhooks Validating webhooks Create Pod

Motivation

Motivation • Custom security policies (CIS)

Motivation • Custom security policies (CIS) • Sidecar injection

Let’s code

29 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates

30 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller

31 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image

32 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s

33 | © 2019 Palo Alto Networks. All Rights Reserved. 1 Download dependencies and create certificates 2 Write the admission controller 3 Build the image 4 Deploy to k8s 5 Configure and test

Come hear our talk! Binary Authorization in Kubernetes Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Wednesday, November 20 • 10:55am - 11:30am