K8s Admission Controllers from scratch.pdf

1、K8s Admission Controllersfrom scratchBy Steve GiguereMeet the Proctors Steve Giguere Matt Johnson Angela GizziDeveloper Advocate-Bridgecrew DevRel Lead-Prisma Cloud Technical Marketing -PANWAn admission controller is a piece of code that intercepts requests to the Kubernetes API server before the pe

2、rsistence of the object,but after the request is authenticated and authorized.Validating Admission Controllers are the last line of defense to block potentially dangerous misconfigurations from making it into your cluster and save you from yourselfType of Dynamic Admission ControllersValidating Admi

3、ssion Webhook(our workshop)This admission controller calls webhooks,passing an Admission Review request to validate an incoming Kubernetes manifest matching the webhooks Admission Configuration.If the webhook rejects the request,the request fails and the object is not persisted in the clusterMutatin

4、g Admission Webhook(not used in this workshop)This admission controller calls webhooks,which may modify/mutate(as implied by the name)the object if it desired.Note these run before Validation Admission Webhooks.Anatomy of an admission controllerCredit:SysdigOur Admission Controller ContainerGunicorn

5、WSGI.py(conductor)Python based Flask application receiving on a single/validate routeAll of the above built into a container imageAdmission ConfigurationK8s DeploymentTLS CertsDeployed as K8s secretK8s ServiceClusterIPWhat We Dont CoverThe vast list of built-in Kubernetes admission controllersThe ne

6、w alpha feature of validating admission controller using CELCEL=Common Expression LanguageHow to create a Python based Flask applicationWe provide a basic frameworks for you Deep knowledge of K8s manifestsWe do teach how to generate some manifestsWe also provide manifests where generation isnt possi

7、bleKubectl deep diveAll commands are provided with explainationPrerequisitesA laptopA Kubernetes cluster(provided)Fundamental knowledge of the Python programming languageBasic knowledge of kubectlOur Instruqt workshop invitationAlso posted in the CNCF slack channel#cnsc-ac-workshophttps:/ value of a

8、dmission controllersThe basics of how an admission controller worksHow to build a basic admission controller to block,based on a simple ruleWhat a secure K8s manifest looks like!How to take that to the next level by adding a policy as code engine(Checkov)Policy consistency across the SDLC is important!Whorf,the result of our own Admission Controller journeyLets get started!Wed love to hear from you!Leave us your feedback below and come visit us to chat more&pick up some swag at Booth G11.1-Minute Feedback Form: