K8s Admission Controllers from scratch.pdf

1、K8s Admission Controllersfrom scratchBy Steve GiguereMeet the Proctors Steve Giguere Matt Johnson Angela GizziDeveloper Advocate-Bridgecrew DevRel Lead-Prisma Cloud Technical Marketing -PANWAn admission controller is a piece of code that intercepts requests to the Kubernetes API server before the pe

2、rsistence of the object,but after the request is authenticated and authorized.Validating Admission Controllers are the last line of defense to block potentially dangerous misconfigurations from making it into your cluster and save you from yourselfType of Dynamic Admission ControllersValidating Admi

3、ssion Webhook(our workshop)This admission controller calls webhooks,passing an Admission Review request to validate an incoming Kubernetes manifest matching the webhooks Admission Configuration.If the webhook rejects the request,the request fails and the object is not persisted in the clusterMutatin

4、g Admission Webhook(not used in this workshop)This admission controller calls webhooks,which may modify/mutate(as implied by the name)the object if it desired.Note these run before Validation Admission Webhooks.Anatomy of an admission controllerCredit:SysdigOur Admission Controller ContainerGunicorn

5、WSGI.py(conductor)Python based Flask application receiving on a single/validate routeAll of the above built into a container imageAdmission ConfigurationK8s DeploymentTLS CertsDeployed as K8s secretK8s ServiceClusterIPWhat We Dont CoverThe vast list of built-in Kubernetes admission controllersThe ne

6、w alpha feature of validating admission controller using CELCEL=Common Expression LanguageHow to create a Python based Flask applicationWe provide a basic frameworks for you Deep knowledge of K8s manifestsWe do teach how to generate some manifestsWe also provi