Read on Twitter
THREAD: How does the Kubernetes API work?
The Kubernetes API is made of several smaller components.
In this thread you will learn about the component involved in storing resources into etcd.
The Kubernetes API is made of several smaller components.
In this thread you will learn about the component involved in storing resources into etcd.
1/10
When you type ๐๐๐๐๐๐๐ ๐๐๐๐๐ข -๐ ๐๐ข.๐ข๐๐๐ your YAML is sent to the API and stored in etcd.
๐๐ถ๐ต ๐ธ๐ฉ๐ข๐ต ๐ช๐ด ๐ต๐ฉ๐ฆ ๐๐๐ ๐ฅ๐ฐ๐ช๐ฏ๐จ?
When you type ๐๐๐๐๐๐๐ ๐๐๐๐๐ข -๐ ๐๐ข.๐ข๐๐๐ your YAML is sent to the API and stored in etcd.
๐๐ถ๐ต ๐ธ๐ฉ๐ข๐ต ๐ช๐ด ๐ต๐ฉ๐ฆ ๐๐๐ ๐ฅ๐ฐ๐ช๐ฏ๐จ?
2/10
The API has a single block in the diagram, but the reality is that several components are involved in processing your request.
The first component in the API is the HTTP handler.
You can think about it a web server ready to receive HTTP requests:
The API has a single block in the diagram, but the reality is that several components are involved in processing your request.
The first component in the API is the HTTP handler.
You can think about it a web server ready to receive HTTP requests:
3/10
In that part, the API has to make sure that:
- You have access to the cluster (authentication)
- You can create, delete, list, etc. resources (authorisation)
This is the part where the RBAC rules are evaluated.
In that part, the API has to make sure that:
- You have access to the cluster (authentication)
- You can create, delete, list, etc. resources (authorisation)
This is the part where the RBAC rules are evaluated.
4/10
So you're authenticated and you can create Pods, what's next?
The API passes the request to the Mutation Admission Controller.
This component is in charge of looking at your YAML and modifying it.
It could add a default storage class (if you forgot one) โ as an example.
So you're authenticated and you can create Pods, what's next?
The API passes the request to the Mutation Admission Controller.
This component is in charge of looking at your YAML and modifying it.
It could add a default storage class (if you forgot one) โ as an example.
5/10
๐๐ง๐ต๐ฆ๐ณ ๐ข๐ญ๐ญ ๐ฎ๐ฐ๐ฅ๐ช๐ง๐ช๐ค๐ข๐ต๐ช๐ฐ๐ฏ๐ด, ๐ฅ๐ฐ๐ฆ๐ด ๐ต๐ฉ๐ฆ ๐๐ฐ๐ฅ ๐ด๐ต๐ช๐ญ๐ญ ๐ญ๐ฐ๐ฐ๐ฌ ๐ญ๐ช๐ฌ๐ฆ ๐ข ๐๐ฐ๐ฅ?
The Schema Validation component makes sure that the resource is valid against the internal schema.
You don't want malformed YAML to be stored in the cluster.
๐๐ง๐ต๐ฆ๐ณ ๐ข๐ญ๐ญ ๐ฎ๐ฐ๐ฅ๐ช๐ง๐ช๐ค๐ข๐ต๐ช๐ฐ๐ฏ๐ด, ๐ฅ๐ฐ๐ฆ๐ด ๐ต๐ฉ๐ฆ ๐๐ฐ๐ฅ ๐ด๐ต๐ช๐ญ๐ญ ๐ญ๐ฐ๐ฐ๐ฌ ๐ญ๐ช๐ฌ๐ฆ ๐ข ๐๐ฐ๐ฅ?
The Schema Validation component makes sure that the resource is valid against the internal schema.
You don't want malformed YAML to be stored in the cluster.
6/10
If you tried to deploy a Pod in a namespace that doesn't exist, who stops you?
The Validation Admission Controller stops you.
Are you trying to deploy more resources than your Quota?
The controller stops you again.
If you tried to deploy a Pod in a namespace that doesn't exist, who stops you?
The Validation Admission Controller stops you.
Are you trying to deploy more resources than your Quota?
The controller stops you again.
7/10
If you managed to pass the Validation Admission Controller, your resource is safely stored in etcd.
Well done!
Now that you know about the Mutating Admission controller wouldn't be great if you could design your own?
Good news, you can.
If you managed to pass the Validation Admission Controller, your resource is safely stored in etcd.
Well done!
Now that you know about the Mutating Admission controller wouldn't be great if you could design your own?
Good news, you can.
8/10
You can register your scripts with the Mutating Admission Controller.
You can also do the same with the Validating Admission Controller.
You could design your checks and decide if a resource should be rejected from reaching etcd.
You can register your scripts with the Mutating Admission Controller.
You can also do the same with the Validating Admission Controller.
You could design your checks and decide if a resource should be rejected from reaching etcd.
9/10
Two excellent examples of custom Admission controllers:
- Istio automatically injects an extra container to all Pods (mutation)
- Gatekeeper (Open Policy Agent) checks your resources against policies and reports violations (validation)
Two excellent examples of custom Admission controllers:
- Istio automatically injects an extra container to all Pods (mutation)
- Gatekeeper (Open Policy Agent) checks your resources against policies and reports violations (validation)
10/10
If you wish to explore more, check out this article on custom admission controllers https://banzaicloud.com/blog/k8s-admission-webhooks/
Also @echorand is about to publish an article on the Learnk8s blog about custom validation checks. Subscribe to the Learnk8s newsletter here https://learnk8s.io/newsletter
If you wish to explore more, check out this article on custom admission controllers https://banzaicloud.com/blog/k8s-admission-webhooks/
Also @echorand is about to publish an article on the Learnk8s blog about custom validation checks. Subscribe to the Learnk8s newsletter here https://learnk8s.io/newsletter
