Kubernetes Webhooks

Transcript

1. Kubernetes Webhooks Terin Stock @terinjokes

2. Extending Kubernetes 1. Controllers 2. Webhooks 3. Aggregation Layer

3. Learn more about extending Kubernetes Friday 14:45 - 15:20 in

   Room C1-M0

4. What are Webhooks? • Allows for dynamic adminission control without

   plugins • Configurable at runtime, without restarting control plane • Implemented with an HTTP API • Beta, and on by default in ≥1.9

5. Types of Webhooks 1. Mutating Webhook a. Allows for mutating

   resources on admission b. Runs serially, each webhook can mutate 2. Validating Webhook a. Only allows for validating resources b. Runs in parallel; if any reject, the request fails

6. Example • We have different types of namespaces ◦ Production

   namespaces, running critical production tasks ◦ Development namespaces, running work-in-progress services • Quality of Service between the namespaces are different: ◦ Production namespaces should be Guaranteed or Burstable ◦ Development namespaces should be Best Effort • Production services should be deployable in development namespaces without changing resource requests.

7. Quality of Service QoS of a Pod depends on the

   resource limits and requests in the Pod spec containers: - name: example resources: limits: memory: "200Mi" cpu: "700m" requests: memory: "200Mi" cpu: "700m"

8. Creating a Webhook apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: resource-quotas

   webhooks: - name: resource-quotas clientConfig: caBundle: ${PEM_ENCODED_BUNDLE} service: namespace: default name: resource-quotas-wh path: "/pods" rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] namespaceSelector: matchLabels: type: development

9. Woah, What? Break it down We’re creating a Mutating Webhook

   apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration The configuration for a Validating Webhook is largely the same

10. Example Webhook: ClientConfig Defines what service Kubernetes will send webhooks

    requests to clientConfig: caBundle: ${PEM_ENCODED_BUNDLE} service: namespace: default name: resource-quotas-wh path: "/pods" The service must listen on port 443, and use an HTTPS certificate matching the caBundle

11. Example Webhook: Rules Rules defines when Kubernetes will reach out

    to the Webhook rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"]

12. Example Webhook: Namespaces Finally, namespaceSelector restricts the rules to namespaces

    that match the labels namespaceSelector: matchLabels: type: development

13. Example Webhook http.HandleFunc("/pods", func(rw http.ResponseWriter, r *http.Request) { // decode

    request as v1beta1.AdmissionReview var review v1beta1.AdmissionReview json.NewDecoder(r.Body).Decode(&review) […] })
14. None

15. Example Webhook […] // investigate review.Request var pod v1.Pod json.Unmarshal(review.Request.Object.Raw,

    &pod) // remove each resources from each containers for i, c := range pod.Spec.Containers { c.Resources = v1.ResourceRequirements{} pod.Spec.Containers[i] = c } […]

16. Example Webhook […] // marshal back into JSON resp, _

    := json.Marshal(pod) […]

17. JSONPatch Kubernetes uses JSONPatch, defined by RFC6902, to describe webhook

    mutations [ { "op": "remove", "path": "/a/b/c" }, { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }, { "op": "move", "from": "/a/b/c", "path": "/a/b/d" }, { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" } ] The github.com/mattbaird/jsonpatch package works well for simple cases

18. Example Webhook […] // create the JSONPatch patch, _ :=

    jsonpatch.CreatePatch(review.Request.Object.Raw, resp) p, _ := json.Marshal(patch) pt := v1beta1.PatchTypeJSONPatch response := &v1beta1.AdmissionResponse{ UID: review.Request.UID, Allowed: true, Patch: p, PatchType: &pt, } […]

19. Example Webhook […] res, _ := json.Marshal(&v1beta1.AdmissionReview{ Response: response, })

    rw.Header().Set("Content-Type", "application/json") rw.Write(res) })

20. Other Webhooks • Add "sidecar" containers to new pods ◦

    Conduit sidecar ◦ Jaeger agent ◦ Prometheus exporter • Deployment templating

21. Kubernetes Webhooks • Extending Kubernetes Admission Control ◦ without being

    a plugin ◦ deployable and configurable at runtime • Simple HTTP API • Extremely powerful

22. Learn more about extending Kubernetes Friday 14:45 - 15:20 in

    Room C1-M0