Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Webhooks

Kubernetes Webhooks

Extending Kubernetes with Admission Controller webhooks.

See the related presentation on Extending Kubernetes with Controllers[0] presented at KubeCon.

[0]: https://speakerdeck.com/terinjokes/controller-extending-your-k8s-cluster

Terin Stock

May 01, 2018
Tweet

More Decks by Terin Stock

Other Decks in Technology

Transcript

  1. What are Webhooks? • Allows for dynamic adminission control without

    plugins • Configurable at runtime, without restarting control plane • Implemented with an HTTP API • Beta, and on by default in ≥1.9
  2. Types of Webhooks 1. Mutating Webhook a. Allows for mutating

    resources on admission b. Runs serially, each webhook can mutate 2. Validating Webhook a. Only allows for validating resources b. Runs in parallel; if any reject, the request fails
  3. Example • We have different types of namespaces ◦ Production

    namespaces, running critical production tasks ◦ Development namespaces, running work-in-progress services • Quality of Service between the namespaces are different: ◦ Production namespaces should be Guaranteed or Burstable ◦ Development namespaces should be Best Effort • Production services should be deployable in development namespaces without changing resource requests.
  4. Quality of Service QoS of a Pod depends on the

    resource limits and requests in the Pod spec containers: - name: example resources: limits: memory: "200Mi" cpu: "700m" requests: memory: "200Mi" cpu: "700m"
  5. Creating a Webhook apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: resource-quotas

    webhooks: - name: resource-quotas clientConfig: caBundle: ${PEM_ENCODED_BUNDLE} service: namespace: default name: resource-quotas-wh path: "/pods" rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] namespaceSelector: matchLabels: type: development
  6. Woah, What? Break it down We’re creating a Mutating Webhook

    apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration The configuration for a Validating Webhook is largely the same
  7. Example Webhook: ClientConfig Defines what service Kubernetes will send webhooks

    requests to clientConfig: caBundle: ${PEM_ENCODED_BUNDLE} service: namespace: default name: resource-quotas-wh path: "/pods" The service must listen on port 443, and use an HTTPS certificate matching the caBundle
  8. Example Webhook: Rules Rules defines when Kubernetes will reach out

    to the Webhook rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"]
  9. Example Webhook: Namespaces Finally, namespaceSelector restricts the rules to namespaces

    that match the labels namespaceSelector: matchLabels: type: development
  10. Example Webhook http.HandleFunc("/pods", func(rw http.ResponseWriter, r *http.Request) { // decode

    request as v1beta1.AdmissionReview var review v1beta1.AdmissionReview json.NewDecoder(r.Body).Decode(&review) […] })
  11. Example Webhook […] // investigate review.Request var pod v1.Pod json.Unmarshal(review.Request.Object.Raw,

    &pod) // remove each resources from each containers for i, c := range pod.Spec.Containers { c.Resources = v1.ResourceRequirements{} pod.Spec.Containers[i] = c } […]
  12. JSONPatch Kubernetes uses JSONPatch, defined by RFC6902, to describe webhook

    mutations [ { "op": "remove", "path": "/a/b/c" }, { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }, { "op": "move", "from": "/a/b/c", "path": "/a/b/d" }, { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" } ] The github.com/mattbaird/jsonpatch package works well for simple cases
  13. Example Webhook […] // create the JSONPatch patch, _ :=

    jsonpatch.CreatePatch(review.Request.Object.Raw, resp) p, _ := json.Marshal(patch) pt := v1beta1.PatchTypeJSONPatch response := &v1beta1.AdmissionResponse{ UID: review.Request.UID, Allowed: true, Patch: p, PatchType: &pt, } […]
  14. Example Webhook […] res, _ := json.Marshal(&v1beta1.AdmissionReview{ Response: response, })

    rw.Header().Set("Content-Type", "application/json") rw.Write(res) })
  15. Other Webhooks • Add "sidecar" containers to new pods ◦

    Conduit sidecar ◦ Jaeger agent ◦ Prometheus exporter • Deployment templating
  16. Kubernetes Webhooks • Extending Kubernetes Admission Control ◦ without being

    a plugin ◦ deployable and configurable at runtime • Simple HTTP API • Extremely powerful