6. Webhook Admission 101
Why ?
It give helps to existential questions in the life of DevOps:
● Is the pod requesting too many resources?
● Are the base images used to spawn the microservice pods secure?
● Which privileges are currently granted to the service account linked to
these pods/deployments? Do they adhere to the principle of least privilege?
14. Webhook Admission callback (RESPOND)
Respond simple (allow/forbidden)
Respond with Patching
Respond with Warning (code 299)
Webhook Server
(intercept Request)
API Server
Respond
Callback
Intercept
request
equest
15. Webhook Admission callback
(contacting webhook server)
Once the API server has determined a request should be sent to a webhook,
it needs to know how to contact the webhook
- URL
- Service reference
16. Webhook Admission callback
(contacting webhook server)
URL Service Reference
Endpoint
Type
Endpoint outside K8S Endpoint within K8S (deployment/service)
Endpoint
Format
scheme://host:port/path <svc_name>.<svc_ns>.svc.cluster.local
caBundle Require
(but automatically using
“system trust roots”)
Require
(use K8S cluster caBundle)
23. Apply dynamic Webhook Admission
Webhook Configuration
- API object (kind):
/ ValidatingWebhookConfiguration
/ MutatingWebhookConfiguration
- Name: must be K8S valid DNS subdomain name
28. Demo
- Company X has ECR as registry for all
container image activities
(i.e: registry.company.com)
- To cut down cost, DevOps team must
setup internal “pull-through-caching”
registry
(i.e: registry-cache.company.com)
- Best way to adapt new “registry-cache”
without changing “ci-cd/helm-chart/” so
much ?