How to build a Kubernetes Webhook | Admission controllers
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- Subscribe to show your support! goo.gl/1Ty1Q2 .
Patreon 👉🏽 / marceldempers
Checkout the source code below 👇🏽 and follow along 🤓
Also if you want to support the channel further, become a member 😎
marceldempers.dev/join
Checkout "That DevOps Community" too
marceldempers.dev/community
Source Code 🧐
--------------------------------------------------------------
github.com/marcel-dempers/doc...
Introduction to Go Programming
--------------------------------------------------------------
• Introduction to Go: A ...
If you are new to Kubernetes, check out my getting started playlist on Kubernetes below :)
Kubernetes Guide for Beginners:
---------------------------------------------------
• Kubernetes development...
Kubernetes Monitoring Guide:
-----------------------------------------------
• Kubernetes Monitoring ...
Kubernetes Secret Management Guide:
--------------------------------------------------------------
• Kubernetes Secret Mana...
Like and Subscribe for more :)
Follow me on socials!
marceldempers.dev
Twitter | / marceldempers
GitHub | github.com/marcel-dempers
Facebook | thatdevopsguy
LinkedIn | / marceldempers
Instagram | / thatdevopsguy
Music:
Track: Fox Beat 2 - Joakim Karud - Summer Vibes - Royalty Free Vlog Music [BUY=FREE] | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / joakim-karud-summer-vi...
Track: Amine Maxwell - Night And The City | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / night-and-the-city
Track: Le Gang - I'll Go Out To Run Now (Free Download) [Lo-Fi Beats/Chill] | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / ill-go-out-to-run-now
Track: WG $P_BEATZ - SAD LOFI CHILL TYPE BEAT(Prod.WG $P) | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / sad-lofi-chill-type-be...
Track: souKo - souKo - Parallel | is licensed under a Creative Commons Attribution licence (creativecommons.org/licenses/...)
Listen: / parallel
Timestamps:
00:00 Introduction
00:30 What are admission controllers
01:57 Documentation
02:12 The Agenda
02:43 The Source Code
03:04 Creating a cluster
03:37 Create TLS certificate
08:51 The Webhook configuration
11:50 Writing the code
15:27 Accessing Kubernetes from code
17:43 Authenticating with Kubernetes
20:50 Kubernetes client-go
22:50 Basic code to list pods
24:44 Mutating Endpoint
27:17 Deploying to kubernetes
30:58 Trying the mutation endpoint
32:05 Admission Reviews and response
39:24 Successful mutation - วิทยาศาสตร์และเทคโนโลยี
![เจ้าผู้เดียว - ดิด คิตตี้ [OFFICIAL MV]](http://i.ytimg.com/vi/q0NLCYKBOTo/mqdefault.jpg)
Most watchers of this video already know what "-v" does in a docker command. But even if there is only one who doesn't, the explanation pays off.
So I seriously love the fact that you go over every single command, explaining what and why is going on. That is exceptional level education right here.
Best content for Kubernetes out there! I actually used these videos to implement a cluster in my organisation. You are my hero!
I agree one of the best content for Kubernetes out there ! Thank you !
I will pay without hesitation if you make a course/training videos :)
This video helped me a lot in understanding AdmissionControllers. The way you explain things is brilliant!
Loved the way you structured the creation of admission webhook, step by step ... just by following along the video helped me understand the concept and literally not spending lots of time on fixing unwanted issue due to setup as in other blogs... Thank you and i am your new Fan :)
The quality of this video is top notch! Thank you very much for helping us learning and understanding these concpets with practical examples. Love these videos!!!
Awesome man, your voice is so smooth. Top quality content, everything to the point, zero wastage.
Thanks a lot for this excellent video. I am currently facing the task to develop an admission controller, Your video is very helpful.
Kudos to you sir! Very clear instructions and easy to follow, everything is well explained as well!
Thank you for putting this together.
I don't know how to explain it but your videos are like hypnosis :D , we follow from start to finish and understand everything !
Awesome run-through of admission controllers - thank you - keep up the great work
I love this kind of contents!! so inspiring. I enjoyed it very much. Thanks for sharing your advanced knowledge with us.
This content is amazing. I am sure it took a long time to put it all together
thank you
just plain awesome !! so much detailed explaination ever seen in k8s tutorials
Just the content I was looking for. Thanks for sharing your knowledge 👏🏼
Stellar work, super impressive. You're the man Marcel 👑👌
Dude, you are my hero! I do really enjoy watching your videos. I'm tring to get into the DevOps world and your videos are just amazing! Thank you for all the knoledge you share with us!
Fantastic content, some day this channel will be the gold standard for k8s development.
Marcels is the man!!! Thank you so much!
My god. I just googled for admission controller hello world and got to this channel. Wow. So clear, so structured. This guy knows how to teach. And this is from a guy who has been teaching Linux for about 20 years
How can I pay for this content?
full marks for professionalism and quality
you are awesome, thanks for all your efforts to make this video
Helped a lot in understanding the basics 🙏
Thanks for the great k8s content Marcel.
This is a wonderful piece of information. Thank you!❤
So detail,helps a lot for me ,thank you
Thank you SOO much! Great explanation!
Excellent example workshop, thank you a lot
So freaking awesome video!
Awesome content!
Love it! Thank you for explaining each command line argument, and more generally for explaining everything in such great detail. Keep doing that! Subscribed.
Amazing stuff from my no1 big guy out there :D
You are a wonderful teacher
Awesome stuff !!
GREAT video (as expected 🙂)
Top quality content ! thank you!
Thank you very much!
Thank you for making this video. It's really helpful.
If I may give some feedback, I'd suggest not to use too many cut-edits. A few seconds gap in between sentence can actually be helpful to your audiences as it lets your sentences sink in before processing the next ones. It would also feel more natural that way. At least for me. I think the gaps in between should be cut shorter only if they're too long in between.
Other than that, it's a very nice tutorial. Thanks again!
good stuff. thank you
Thank you, best content!
Thanks marsel. You explain very good👍👍
well done!
Great job! Could you also craft a similarly insightful introduction for operators and custom resource definitions?
Great Video
That's an amazing tutorial
Some of those use-cases has some built-in admission controllers though, like the one handling LimitRanges for default resource requests / limit. (it can be done with a webhook though)
It almost beat me, implemented it in C# but couldn't get k8s to call the mutate endpoint, simple as making the endpoint Post vs Get, guess Go doesn't discriminate. Cheers for all your content, keep flexing :D
Hi, this excellent video. Do you recommend use the kubebuilder, operator-sdk or prefere create the webhook manually? What's your experience with kubebuilder and operator-sdk?
Thanks for the tutoring. I was looking for Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes. I looked at your channel I couldn't find it. Have you created a tutorial about Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes? Thanks again.
kubectl create secret tls (with --dry-run / --dry-run=local) is another method to generate YAMLs for secrets. (The manual base64 encoding does make it clearer what is going on in there though)
(The tls secrets can also contain a ca.crt, which you can't get in with "kubectl create secret tls" though)
How do you add rate limit on the webhook, that's very important to do, otherwise your webhook will have multiple retries?
Thanks for this video....it really helpful while building mutatinghook...can you please advise how can we inject initcontainer using this code...I tried few options but getting errors "decode slice: expect [ or n, but found ", error found in #10 byte of ...|tainers":"image:busy|..., bigger context ...|irst","enableServiceLinks":true,"initContainers":"image:busybox","preemptionPolicy":"PreemptLowerPri|..."
Any advise would be helpful.
Great content plus I see the new theme for vscode love it!
👊🏽
Thank you - Could you make a video on Real Time Bidding stack (rtb4free) on kubernetes.
13:02 docker run ... webhook shell. Getting error: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined
Same error...how should I fixed it?
I am getting same error, how to fix this?
If CNCF makes an animation movie on K8S, They should pick this guy for voice over.
👍
geat bro luv from pakistan.
Assuming most of the pods in my k8s cluster are deployed though stateful sets or deployments, the admission controller should mutate the sts/deployments instead of the pods, right? I'm assuming the sts controller would revert direct changes to pod specs.
Yes, correct, the mutation occurs before the object hits etcd, so you can mutate it before it saves to the database and gets applied by the sts controller
No, sts, ds, deploy, at the end of the day end up creating pods, so no need to target them specifically. The config he shows will work for all these, as long as the label used as selector is set on the pod template.
When did Arnold Schwalzneger start programing?
I'll be back
Hi , Thanks for the video . When trying to create demo-pod.yaml in step "Deploy a demo that needs mutation", it failed with an error "Error from server ( Internal Server ) : error when creating a demo -pod.yaml : faield called webhook "example-webhook.default.svc.clsuter.local: Post example-webhook.default.svc:443/mutate? =timeout=30s" Service unavaialble
kubectl logs example-webhook-589559c84-6179q
Error from server: Get ":port/containerLogs/default/example-webhook-589559c84-6179q/server/:" Service Unavailable
Do I need to create a policy to map Service ip with that of the fqdn "example-webhook.default.svc.clsuter.local" ?
Hello!Why when i use my own docker image (test/example-webhook:v1) the k8s tell me the error "ErrImageNeverPull", but the image(test/example-webhook:v1) is on my local machine.This has already perplexed me for a long time,can you give me some advices? Thank you very much!
This is because container runtimes default to "docker.registry.io" so you are asking for test/example-webhook:v1 which it will search on docker hub by default. If you are running kind or minikube you need to get the image copied into the cluster node for it to find it, or push it to your own registry and set an "imagePullSecret" on the pod spec to pull from another source
@@MarcelDempers I have used "docker build . -t test/example-hook:v1" on my machine and set imagePullPolicy to "Never" in deployment.yaml ,but when i use "kubectl apply -f deployment.yaml" to deploy pod,k8s still tells me there is no "test/example-hook:v1" presents on my machine。
My deploymnent.yaml configuration:
containers:
- name: test
image: test/example-webhook:v1
imagePullPolicy: Never
k8s error like this:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7h19m default-scheduler Successfully assigned default/example-webhook-7967f857df-lgdvg to node3
Warning Failed 9m34s (x141 over 7h19m) kubelet Error: ErrImageNeverPull
Warning ErrImageNeverPull 4m36s (x164 over 7h19m) kubelet Container image "teste/example-webhook:v1" is not present with pull policy of Never
@@ch1ny076 This is because "test" is not a valid registry. you need to tag the image for a valid registry and push the image there. Kubernetes will look for "test" on Docker hub by default.
Alternatively you'll need to copy the image to the node by consulting the kind or minikube docs as mentioned before
Thank you for your reply!Your answer solved my problem perfectly!
7:10 i don't think you need tr for that, "base64 -w0" disables line wrapping.
On certain OS base64 packages, the -w flag is not supported.
You are right, it happens on my old macos.
I know some people understand this but this is soooooooo complicated for noobs like me. How does everything fit together?? I got so lost.
Don't feel too intimidated by this concept in Kubernetes. Building admission controllers is a pretty advanced topic and is a mechanism of extending the platform to build features on top of it.
For example, Ingress controllers, automated cert rotation services like lets encrypt , Vault integration and more.
The pieces of the puzzle is 1) your deployment with a service that has an endpoint that can receive an admission review request.
2) Define a Webhook YAML which tells kubernetes when and how to call your service. (tricky part is it needs TLS)
3) The debugging and logging is the trickiest part :)
Congrats, but I think there is a little mistake in the talk. This kind of webhooks does not intercept the request before it hits the API server, opposite, these webhooks kicked in after the request is authenticated and authorized by the API server but prior to persistence of the request to the etcd.
Got too overwhelming for me as a beginner