SlideShare a Scribd company logo

K8s Webhook Admission

Download as PPTX, PDF
H
Huynh Thai Bao

- Webhook Admission 101 - Webhook Admission callback - Apply dynamic Webhook Admission - Demo

Engineering
1 of 31
Kubernetes Webhook Admission Bao Huynh - DevOps Engineer 04/Oct/2021
You once already saw this....
Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
Webhook Admission 101 Are HTTP callbacks that: ● Receive admission request & intercept them ● Intercept = Mutate/Validate or Both ● Dynamic injection with WebhookConfiguration CRD
Webhook Admission 101
Webhook Admission 101 Why ? It give helps to existential questions in the life of DevOps: ● Is the pod requesting too many resources? ● Are the base images used to spawn the microservice pods secure? ● Which privileges are currently granted to the service account linked to these pods/deployments? Do they adhere to the principle of least privilege?
Webhook Admission 101 (kube-api plugins) Kube-api server CertificateApproval controller DefaultIngressClass controller Validating AdmissionWebhook controller ………….. Mutating AdmissionWebhook controller
Webhook Admission 101 ● Enable Webhook Admission Controller ● Enable Webhook Admission Controller
Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
Webhook Admission callback
Webhook Admission callback (REQUEST) ● HTTP Method: POST ● Content-Type: application/json ● API Object (API: AdmissionReview)
Webhook Admission callback (REQUEST)
Webhook Admission callback (RESPOND) ● HTTP Method: POST ● Content-Type: application/json ● API Object (API: AdmissionReview) ● Body: + uid : copied for request.uid + allowed : true/false + patchType: JSONPatch + patch : <base64_of_JsonPatch_operation>
Webhook Admission callback (RESPOND) Respond simple (allow/forbidden) Respond with Patching Respond with Warning (code 299) Webhook Server (intercept Request) API Server Respond Callback Intercept request equest
Webhook Admission callback (contacting webhook server) Once the API server has determined a request should be sent to a webhook, it needs to know how to contact the webhook - URL - Service reference
Webhook Admission callback (contacting webhook server) URL Service Reference Endpoint Type Endpoint outside K8S Endpoint within K8S (deployment/service) Endpoint Format scheme://host:port/path <svc_name>.<svc_ns>.svc.cluster.local caBundle Require (but automatically using “system trust roots”) Require (use K8S cluster caBundle)
Webhook Admission callback (contacting webhook server)
Webhook Admission callback (contacting webhook server) Acquiring “K8S cluster caBundle”: $ kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' $ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service- account.name']=='default')].data.ca.crt}"
Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
Apply dynamic Webhook Admission Let’s recall ● Mutating Webhook Admission: patch/modify the request ● Validating Webhook Admission: validate the request ● Mutate first, then validate later.
Apply dynamic Webhook Admission
Apply dynamic Webhook Admission Kube-api server Mutating sidecar-Injection Configuration Validating AdmissionWebhook controller Mutating AdmissionWebhook controller Mutating Image Configuration Validate Image Configuration Dynamic = Apply with configuration
Apply dynamic Webhook Admission Webhook Configuration - API object (kind): / ValidatingWebhookConfiguration / MutatingWebhookConfiguration - Name: must be K8S valid DNS subdomain name
Apply dynamic Webhook Admission Webhook Configuration Example
Apply dynamic Webhook Admission Webhook Configuration (Request Matching Rules) Define which requests will be processed/ignored by Webhook Admission - Matching request: rules - Matching request: objectSelector - Matching requests: matchPolicy https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission- controllers/#webhook-configuration
Apply dynamic Webhook Admission Webhook Configuration (Request Matching examples)
Demo
Demo - Company X has ECR as registry for all container image activities (i.e: registry.company.com) - To cut down cost, DevOps team must setup internal “pull-through-caching” registry (i.e: registry-cache.company.com) - Best way to adapt new “registry-cache” without changing “ci-cd/helm-chart/” so much ?
Beyond story: Hardening your cluster
Beyond story: Hardening your cluster
Thanks for your attention

Recommended

Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips
 
Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Huynh Thai Bao
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersWindows Developer
 
VMWare Networking Basic
VMWare Networking BasicVMWare Networking Basic
VMWare Networking BasicMuhammad Yasir Nawaz
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupDaniel Ciruli
 
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015Dmitri Kalintsev
 
VMWare NSX Components
VMWare NSX ComponentsVMWare NSX Components
VMWare NSX ComponentsMuhammad Yasir Nawaz
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraJorge Bay Gondra
 

Recommended

Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips
 
Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Huynh Thai Bao
 
Build 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersBuild 2017 - P4045 - Azure VNet for Containers
Build 2017 - P4045 - Azure VNet for ContainersWindows Developer
 
VMWare Networking Basic
VMWare Networking BasicVMWare Networking Basic
VMWare Networking BasicMuhammad Yasir Nawaz
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupDaniel Ciruli
 
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015
#NET5488 - Troubleshooting Methodology for VMware NSX - VMworld 2015Dmitri Kalintsev
 
VMWare NSX Components
VMWare NSX ComponentsVMWare NSX Components
VMWare NSX ComponentsMuhammad Yasir Nawaz
 
Microservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraMicroservices with Node.js and Apache Cassandra
Microservices with Node.js and Apache CassandraJorge Bay Gondra
 
Mulesoftppt
Mulesoftppt Mulesoftppt
Mulesoftppt ennVee TechnoGroup Inc.
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
Comparing CoAP vs MQTT
Comparing CoAP vs MQTTComparing CoAP vs MQTT
Comparing CoAP vs MQTTkellogh
 
WCF
WCFWCF
WCFVishwa Mohan
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
JavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EEJavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EERodrigo Cândido da Silva
 
Rest component demo
Rest component demoRest component demo
Rest component demoRamakrishna kapa
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack ArchitectureSrbIT
 
Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)Betclic Everest Group Tech Team
 
REST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesREST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesPaul Fremantle
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Inhye Park
 
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorTroubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorWSO2
 
Proxy Server
Proxy ServerProxy Server
Proxy Serverguest095022
 
Optimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using dockerOptimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using dockerAnanth Padmanabhan
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for dockerAnanth Padmanabhan
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXScott Lowe
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsPapitha Velumani
 
Balancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsBalancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsPapitha Velumani
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 

More Related Content

What's hot

OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsEricsson Labs
 
Comparing CoAP vs MQTT
Comparing CoAP vs MQTTComparing CoAP vs MQTT
Comparing CoAP vs MQTTkellogh
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthWei-Tsung Su
 
JavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EEJavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EERodrigo Cândido da Silva
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack ArchitectureSrbIT
 
REST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesREST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesPaul Fremantle
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Inhye Park
 
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorTroubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorWSO2
 
Optimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using dockerOptimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using dockerAnanth Padmanabhan
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Prasad Mukhedkar
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXScott Lowe
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsPapitha Velumani
 
Balancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsBalancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsPapitha Velumani
 

What's hot (20)

Mulesoftppt
Mulesoftppt Mulesoftppt
Mulesoftppt
 
OAuth2 on Ericsson Labs
OAuth2 on Ericsson LabsOAuth2 on Ericsson Labs
OAuth2 on Ericsson Labs
 
Comparing CoAP vs MQTT
Comparing CoAP vs MQTTComparing CoAP vs MQTT
Comparing CoAP vs MQTT
 
WCF
WCFWCF
WCF
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
JavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EEJavaOne 2016 - Reactive Microservices with Java and Java EE
JavaOne 2016 - Reactive Microservices with Java and Java EE
 
Rest component demo
Rest component demoRest component demo
Rest component demo
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
 
Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)
 
REST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and LiesREST vs WS-*: Myths Facts and Lies
REST vs WS-*: Myths Facts and Lies
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
 
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorTroubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
 
Proxy Server
Proxy ServerProxy Server
Proxy Server
 
Optimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using dockerOptimising nfv service chains on open stack using docker
Optimising nfv service chains on open stack using docker
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for docker
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
The Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSXThe Future of Cloud Networking is VMware NSX
The Future of Cloud Networking is VMware NSX
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactions
 
Balancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactionsBalancing performance accuracy and precision for secure cloud transactions
Balancing performance accuracy and precision for secure cloud transactions
 

Similar to K8s Webhook Admission

DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Mutating Admission Webhook creation
Mutating Admission Webhook creationMutating Admission Webhook creation
Mutating Admission Webhook creationVictor Morales
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...Jimmy Lu
 
Kubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsKubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsSaiyam Pathak
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetesGigi Sayfan
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)Simon Haslam
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalMichel Schildmeijer
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2makker_nl
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Allan Naim
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Learn kubernetes in 90 minutes
Learn kubernetes in 90 minutesLearn kubernetes in 90 minutes
Learn kubernetes in 90 minutesLarry Cai
 
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...KubeAcademy
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Laurent Bernaille
 

Similar to K8s Webhook Admission (20)

DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
Mutating Admission Webhook creation
Mutating Admission Webhook creationMutating Admission Webhook creation
Mutating Admission Webhook creation
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
 
Kubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsKubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancements
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)The Kubernetes WebLogic revival (part 2)
The Kubernetes WebLogic revival (part 2)
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCL
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
20191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 220191201 kubernetes managed weblogic revival - part 2
20191201 kubernetes managed weblogic revival - part 2
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
Keystone at openstack multi sites
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sites
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of Containers
 
Learn kubernetes in 90 minutes
Learn kubernetes in 90 minutesLearn kubernetes in 90 minutes
Learn kubernetes in 90 minutes
 
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
KubeCon EU 2016: Creating an Advanced Load Balancing Solution for Kubernetes ...
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
 
App fabric introduction
App fabric introductionApp fabric introduction
App fabric introduction
 

More from Huynh Thai Bao

CICD pipelines with GitOps
CICD pipelines with GitOpsCICD pipelines with GitOps
CICD pipelines with GitOpsHuynh Thai Bao
 
ELK - Optimizations & Updates
ELK - Optimizations & UpdatesELK - Optimizations & Updates
ELK - Optimizations & UpdatesHuynh Thai Bao
 
K8s-zero-downtime-the-missing-part
K8s-zero-downtime-the-missing-partK8s-zero-downtime-the-missing-part
K8s-zero-downtime-the-missing-partHuynh Thai Bao
 
Cassandra - decentralized structured database
Cassandra - decentralized structured databaseCassandra - decentralized structured database
Cassandra - decentralized structured databaseHuynh Thai Bao
 
Skaffold - faster development on K8S
Skaffold - faster development on K8SSkaffold - faster development on K8S
Skaffold - faster development on K8SHuynh Thai Bao
 
Kubernetes - A Rising Hero
Kubernetes - A Rising HeroKubernetes - A Rising Hero
Kubernetes - A Rising HeroHuynh Thai Bao
 
Vault - Enhancement for K8S secret security
Vault - Enhancement for K8S secret securityVault - Enhancement for K8S secret security
Vault - Enhancement for K8S secret securityHuynh Thai Bao
 
Enabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for ImplementationEnabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for ImplementationHuynh Thai Bao
 
GCP Best Practices for SRE Team
GCP Best Practices for SRE TeamGCP Best Practices for SRE Team
GCP Best Practices for SRE TeamHuynh Thai Bao
 

More from Huynh Thai Bao (9)

CICD pipelines with GitOps
CICD pipelines with GitOpsCICD pipelines with GitOps
CICD pipelines with GitOps
 
ELK - Optimizations & Updates
ELK - Optimizations & UpdatesELK - Optimizations & Updates
ELK - Optimizations & Updates
 
K8s-zero-downtime-the-missing-part
K8s-zero-downtime-the-missing-partK8s-zero-downtime-the-missing-part
K8s-zero-downtime-the-missing-part
 
Cassandra - decentralized structured database
Cassandra - decentralized structured databaseCassandra - decentralized structured database
Cassandra - decentralized structured database
 
Skaffold - faster development on K8S
Skaffold - faster development on K8SSkaffold - faster development on K8S
Skaffold - faster development on K8S
 
Kubernetes - A Rising Hero
Kubernetes - A Rising HeroKubernetes - A Rising Hero
Kubernetes - A Rising Hero
 
Vault - Enhancement for K8S secret security
Vault - Enhancement for K8S secret securityVault - Enhancement for K8S secret security
Vault - Enhancement for K8S secret security
 
Enabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for ImplementationEnabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for Implementation
 
GCP Best Practices for SRE Team
GCP Best Practices for SRE TeamGCP Best Practices for SRE Team
GCP Best Practices for SRE Team
 

Recently uploaded

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2RajaP95
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZTE
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingjaychoudhary37
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 

Recently uploaded (20)

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2HARMONY IN THE HUMAN BEING - Unit-II UHV-2
HARMONY IN THE HUMAN BEING - Unit-II UHV-2
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacing
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 

K8s Webhook Admission

  • 1. Kubernetes Webhook Admission Bao Huynh - DevOps Engineer 04/Oct/2021
  • 2. You once already saw this....
  • 3. Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
  • 4. Webhook Admission 101 Are HTTP callbacks that: ● Receive admission request & intercept them ● Intercept = Mutate/Validate or Both ● Dynamic injection with WebhookConfiguration CRD
  • 6. Webhook Admission 101 Why ? It give helps to existential questions in the life of DevOps: ● Is the pod requesting too many resources? ● Are the base images used to spawn the microservice pods secure? ● Which privileges are currently granted to the service account linked to these pods/deployments? Do they adhere to the principle of least privilege?
  • 7. Webhook Admission 101 (kube-api plugins) Kube-api server CertificateApproval controller DefaultIngressClass controller Validating AdmissionWebhook controller ………….. Mutating AdmissionWebhook controller
  • 8. Webhook Admission 101 ● Enable Webhook Admission Controller ● Enable Webhook Admission Controller
  • 9. Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
  • 11. Webhook Admission callback (REQUEST) ● HTTP Method: POST ● Content-Type: application/json ● API Object (API: AdmissionReview)
  • 13. Webhook Admission callback (RESPOND) ● HTTP Method: POST ● Content-Type: application/json ● API Object (API: AdmissionReview) ● Body: + uid : copied for request.uid + allowed : true/false + patchType: JSONPatch + patch : <base64_of_JsonPatch_operation>
  • 14. Webhook Admission callback (RESPOND) Respond simple (allow/forbidden) Respond with Patching Respond with Warning (code 299) Webhook Server (intercept Request) API Server Respond Callback Intercept request equest
  • 15. Webhook Admission callback (contacting webhook server) Once the API server has determined a request should be sent to a webhook, it needs to know how to contact the webhook - URL - Service reference
  • 16. Webhook Admission callback (contacting webhook server) URL Service Reference Endpoint Type Endpoint outside K8S Endpoint within K8S (deployment/service) Endpoint Format scheme://host:port/path <svc_name>.<svc_ns>.svc.cluster.local caBundle Require (but automatically using “system trust roots”) Require (use K8S cluster caBundle)
  • 18. Webhook Admission callback (contacting webhook server) Acquiring “K8S cluster caBundle”: $ kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' $ kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes.io/service- account.name']=='default')].data.ca.crt}"
  • 19. Agenda 1. Webhook Admission 101 2. Webhook Admission callback 3. Apply dynamic Webhook Admission 4. Demo
  • 20. Apply dynamic Webhook Admission Let’s recall ● Mutating Webhook Admission: patch/modify the request ● Validating Webhook Admission: validate the request ● Mutate first, then validate later.
  • 22. Apply dynamic Webhook Admission Kube-api server Mutating sidecar-Injection Configuration Validating AdmissionWebhook controller Mutating AdmissionWebhook controller Mutating Image Configuration Validate Image Configuration Dynamic = Apply with configuration
  • 23. Apply dynamic Webhook Admission Webhook Configuration - API object (kind): / ValidatingWebhookConfiguration / MutatingWebhookConfiguration - Name: must be K8S valid DNS subdomain name
  • 24. Apply dynamic Webhook Admission Webhook Configuration Example
  • 25. Apply dynamic Webhook Admission Webhook Configuration (Request Matching Rules) Define which requests will be processed/ignored by Webhook Admission - Matching request: rules - Matching request: objectSelector - Matching requests: matchPolicy https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission- controllers/#webhook-configuration
  • 26. Apply dynamic Webhook Admission Webhook Configuration (Request Matching examples)
  • 27. Demo
  • 28. Demo - Company X has ECR as registry for all container image activities (i.e: registry.company.com) - To cut down cost, DevOps team must setup internal “pull-through-caching” registry (i.e: registry-cache.company.com) - Best way to adapt new “registry-cache” without changing “ci-cd/helm-chart/” so much ?
  • 29. Beyond story: Hardening your cluster
  • 30. Beyond story: Hardening your cluster
  • 31. Thanks for your attention

Editor's Notes

  1. Example are here: https://github.com/baohuynh09/webhookAdmisstion_tutorial
  2. https://www.openpolicyagent.org/docs/latest/
  3. Workflow of OPA https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/