Most watchers of this video already know what "-v" does in a docker command. But even if there is only one who doesn't, the explanation pays off. So I seriously love the fact that you go over every single command, explaining what and why is going on. That is exceptional level education right here.
My god. I just googled for admission controller hello world and got to this channel. Wow. So clear, so structured. This guy knows how to teach. And this is from a guy who has been teaching Linux for about 20 years How can I pay for this content?
Loved the way you structured the creation of admission webhook, step by step ... just by following along the video helped me understand the concept and literally not spending lots of time on fixing unwanted issue due to setup as in other blogs... Thank you and i am your new Fan :)
Dude, you are my hero! I do really enjoy watching your videos. I'm tring to get into the DevOps world and your videos are just amazing! Thank you for all the knoledge you share with us!
The quality of this video is top notch! Thank you very much for helping us learning and understanding these concpets with practical examples. Love these videos!!!
13:02 docker run ... webhook shell. Getting error: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined
Thank you for making this video. It's really helpful. If I may give some feedback, I'd suggest not to use too many cut-edits. A few seconds gap in between sentence can actually be helpful to your audiences as it lets your sentences sink in before processing the next ones. It would also feel more natural that way. At least for me. I think the gaps in between should be cut shorter only if they're too long in between. Other than that, it's a very nice tutorial. Thanks again!
Hi, this excellent video. Do you recommend use the kubebuilder, operator-sdk or prefere create the webhook manually? What's your experience with kubebuilder and operator-sdk?
Thanks for the tutoring. I was looking for Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes. I looked at your channel I couldn't find it. Have you created a tutorial about Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes? Thanks again.
Some of those use-cases has some built-in admission controllers though, like the one handling LimitRanges for default resource requests / limit. (it can be done with a webhook though)
Thanks for this video....it really helpful while building mutatinghook...can you please advise how can we inject initcontainer using this code...I tried few options but getting errors "decode slice: expect [ or n, but found ", error found in #10 byte of ...|tainers":"image:busy|..., bigger context ...|irst","enableServiceLinks":true,"initContainers":"image:busybox","preemptionPolicy":"PreemptLowerPri|..." Any advise would be helpful.
Love it! Thank you for explaining each command line argument, and more generally for explaining everything in such great detail. Keep doing that! Subscribed.
Assuming most of the pods in my k8s cluster are deployed though stateful sets or deployments, the admission controller should mutate the sts/deployments instead of the pods, right? I'm assuming the sts controller would revert direct changes to pod specs.
Yes, correct, the mutation occurs before the object hits etcd, so you can mutate it before it saves to the database and gets applied by the sts controller
No, sts, ds, deploy, at the end of the day end up creating pods, so no need to target them specifically. The config he shows will work for all these, as long as the label used as selector is set on the pod template.
It almost beat me, implemented it in C# but couldn't get k8s to call the mutate endpoint, simple as making the endpoint Post vs Get, guess Go doesn't discriminate. Cheers for all your content, keep flexing :D
Hello!Why when i use my own docker image (test/example-webhook:v1) the k8s tell me the error "ErrImageNeverPull", but the image(test/example-webhook:v1) is on my local machine.This has already perplexed me for a long time,can you give me some advices? Thank you very much!
This is because container runtimes default to "docker.registry.io" so you are asking for test/example-webhook:v1 which it will search on docker hub by default. If you are running kind or minikube you need to get the image copied into the cluster node for it to find it, or push it to your own registry and set an "imagePullSecret" on the pod spec to pull from another source
@@MarcelDempers I have used "docker build . -t test/example-hook:v1" on my machine and set imagePullPolicy to "Never" in deployment.yaml ,but when i use "kubectl apply -f deployment.yaml" to deploy pod,k8s still tells me there is no "test/example-hook:v1" presents on my machine。 My deploymnent.yaml configuration: containers: - name: test image: test/example-webhook:v1 imagePullPolicy: Never k8s error like this: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 7h19m default-scheduler Successfully assigned default/example-webhook-7967f857df-lgdvg to node3 Warning Failed 9m34s (x141 over 7h19m) kubelet Error: ErrImageNeverPull Warning ErrImageNeverPull 4m36s (x164 over 7h19m) kubelet Container image "teste/example-webhook:v1" is not present with pull policy of Never
@@ch1ny076 This is because "test" is not a valid registry. you need to tag the image for a valid registry and push the image there. Kubernetes will look for "test" on Docker hub by default. Alternatively you'll need to copy the image to the node by consulting the kind or minikube docs as mentioned before
kubectl create secret tls (with --dry-run / --dry-run=local) is another method to generate YAMLs for secrets. (The manual base64 encoding does make it clearer what is going on in there though) (The tls secrets can also contain a ca.crt, which you can't get in with "kubectl create secret tls" though)
Hi , Thanks for the video . When trying to create demo-pod.yaml in step "Deploy a demo that needs mutation", it failed with an error "Error from server ( Internal Server ) : error when creating a demo -pod.yaml : faield called webhook "example-webhook.default.svc.clsuter.local: Post example-webhook.default.svc:443/mutate? =timeout=30s" Service unavaialble kubectl logs example-webhook-589559c84-6179q Error from server: Get ":port/containerLogs/default/example-webhook-589559c84-6179q/server/:" Service Unavailable Do I need to create a policy to map Service ip with that of the fqdn "example-webhook.default.svc.clsuter.local" ?
Congrats, but I think there is a little mistake in the talk. This kind of webhooks does not intercept the request before it hits the API server, opposite, these webhooks kicked in after the request is authenticated and authorized by the API server but prior to persistence of the request to the etcd.
Don't feel too intimidated by this concept in Kubernetes. Building admission controllers is a pretty advanced topic and is a mechanism of extending the platform to build features on top of it. For example, Ingress controllers, automated cert rotation services like lets encrypt , Vault integration and more. The pieces of the puzzle is 1) your deployment with a service that has an endpoint that can receive an admission review request. 2) Define a Webhook YAML which tells kubernetes when and how to call your service. (tricky part is it needs TLS) 3) The debugging and logging is the trickiest part :)
Most watchers of this video already know what "-v" does in a docker command. But even if there is only one who doesn't, the explanation pays off.
So I seriously love the fact that you go over every single command, explaining what and why is going on. That is exceptional level education right here.
Awesome man, your voice is so smooth. Top quality content, everything to the point, zero wastage.
Best content for Kubernetes out there! I actually used these videos to implement a cluster in my organisation. You are my hero!
I agree one of the best content for Kubernetes out there ! Thank you !
I will pay without hesitation if you make a course/training videos :)
I don't know how to explain it but your videos are like hypnosis :D , we follow from start to finish and understand everything !
My god. I just googled for admission controller hello world and got to this channel. Wow. So clear, so structured. This guy knows how to teach. And this is from a guy who has been teaching Linux for about 20 years
How can I pay for this content?
This video helped me a lot in understanding AdmissionControllers. The way you explain things is brilliant!
Loved the way you structured the creation of admission webhook, step by step ... just by following along the video helped me understand the concept and literally not spending lots of time on fixing unwanted issue due to setup as in other blogs... Thank you and i am your new Fan :)
Dude, you are my hero! I do really enjoy watching your videos. I'm tring to get into the DevOps world and your videos are just amazing! Thank you for all the knoledge you share with us!
The quality of this video is top notch! Thank you very much for helping us learning and understanding these concpets with practical examples. Love these videos!!!
13:02 docker run ... webhook shell. Getting error: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined
Same error...how should I fixed it?
I am getting same error, how to fix this?
Kudos to you sir! Very clear instructions and easy to follow, everything is well explained as well!
Thank you for putting this together.
Thanks a lot for this excellent video. I am currently facing the task to develop an admission controller, Your video is very helpful.
Awesome run-through of admission controllers - thank you - keep up the great work
Thank you for making this video. It's really helpful.
If I may give some feedback, I'd suggest not to use too many cut-edits. A few seconds gap in between sentence can actually be helpful to your audiences as it lets your sentences sink in before processing the next ones. It would also feel more natural that way. At least for me. I think the gaps in between should be cut shorter only if they're too long in between.
Other than that, it's a very nice tutorial. Thanks again!
Fantastic content, some day this channel will be the gold standard for k8s development.
I realize this is a bit old now, but serious props, nice work.
This content is amazing. I am sure it took a long time to put it all together
thank you
just plain awesome !! so much detailed explaination ever seen in k8s tutorials
Thanks for the great k8s content Marcel.
I love this kind of contents!! so inspiring. I enjoyed it very much. Thanks for sharing your advanced knowledge with us.
Hi, this excellent video. Do you recommend use the kubebuilder, operator-sdk or prefere create the webhook manually? What's your experience with kubebuilder and operator-sdk?
Thanks for the tutoring. I was looking for Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes. I looked at your channel I couldn't find it. Have you created a tutorial about Custom Notifications with Alert Manager’s Webhook Receiver in Kubernetes? Thanks again.
Some of those use-cases has some built-in admission controllers though, like the one handling LimitRanges for default resource requests / limit. (it can be done with a webhook though)
Marcels is the man!!! Thank you so much!
full marks for professionalism and quality
Helped a lot in understanding the basics 🙏
Just the content I was looking for. Thanks for sharing your knowledge 👏🏼
Amazing stuff from my no1 big guy out there :D
you are awesome, thanks for all your efforts to make this video
Great job! Could you also craft a similarly insightful introduction for operators and custom resource definitions?
Stellar work, super impressive. You're the man Marcel 👑👌
So detail,helps a lot for me ,thank you
This is a wonderful piece of information. Thank you!❤
You are a wonderful teacher
How do you add rate limit on the webhook, that's very important to do, otherwise your webhook will have multiple retries?
Thanks for this video....it really helpful while building mutatinghook...can you please advise how can we inject initcontainer using this code...I tried few options but getting errors "decode slice: expect [ or n, but found ", error found in #10 byte of ...|tainers":"image:busy|..., bigger context ...|irst","enableServiceLinks":true,"initContainers":"image:busybox","preemptionPolicy":"PreemptLowerPri|..."
Any advise would be helpful.
Love it! Thank you for explaining each command line argument, and more generally for explaining everything in such great detail. Keep doing that! Subscribed.
GREAT video (as expected 🙂)
So freaking awesome video!
Assuming most of the pods in my k8s cluster are deployed though stateful sets or deployments, the admission controller should mutate the sts/deployments instead of the pods, right? I'm assuming the sts controller would revert direct changes to pod specs.
Yes, correct, the mutation occurs before the object hits etcd, so you can mutate it before it saves to the database and gets applied by the sts controller
No, sts, ds, deploy, at the end of the day end up creating pods, so no need to target them specifically. The config he shows will work for all these, as long as the label used as selector is set on the pod template.
It almost beat me, implemented it in C# but couldn't get k8s to call the mutate endpoint, simple as making the endpoint Post vs Get, guess Go doesn't discriminate. Cheers for all your content, keep flexing :D
Thank you, best content!
Thanks marsel. You explain very good👍👍
7:10 i don't think you need tr for that, "base64 -w0" disables line wrapping.
On certain OS base64 packages, the -w flag is not supported.
You are right, it happens on my old macos.
Thank you SOO much! Great explanation!
Hello!Why when i use my own docker image (test/example-webhook:v1) the k8s tell me the error "ErrImageNeverPull", but the image(test/example-webhook:v1) is on my local machine.This has already perplexed me for a long time,can you give me some advices? Thank you very much!
This is because container runtimes default to "docker.registry.io" so you are asking for test/example-webhook:v1 which it will search on docker hub by default. If you are running kind or minikube you need to get the image copied into the cluster node for it to find it, or push it to your own registry and set an "imagePullSecret" on the pod spec to pull from another source
@@MarcelDempers I have used "docker build . -t test/example-hook:v1" on my machine and set imagePullPolicy to "Never" in deployment.yaml ,but when i use "kubectl apply -f deployment.yaml" to deploy pod,k8s still tells me there is no "test/example-hook:v1" presents on my machine。
My deploymnent.yaml configuration:
containers:
- name: test
image: test/example-webhook:v1
imagePullPolicy: Never
k8s error like this:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 7h19m default-scheduler Successfully assigned default/example-webhook-7967f857df-lgdvg to node3
Warning Failed 9m34s (x141 over 7h19m) kubelet Error: ErrImageNeverPull
Warning ErrImageNeverPull 4m36s (x164 over 7h19m) kubelet Container image "teste/example-webhook:v1" is not present with pull policy of Never
@@ch1ny076 This is because "test" is not a valid registry. you need to tag the image for a valid registry and push the image there. Kubernetes will look for "test" on Docker hub by default.
Alternatively you'll need to copy the image to the node by consulting the kind or minikube docs as mentioned before
Thank you for your reply!Your answer solved my problem perfectly!
kubectl create secret tls (with --dry-run / --dry-run=local) is another method to generate YAMLs for secrets. (The manual base64 encoding does make it clearer what is going on in there though)
(The tls secrets can also contain a ca.crt, which you can't get in with "kubectl create secret tls" though)
Awesome content!
Thank you - Could you make a video on Real Time Bidding stack (rtb4free) on kubernetes.
Top quality content ! thank you!
That's an amazing tutorial
Awesome stuff !!
If CNCF makes an animation movie on K8S, They should pick this guy for voice over.
Thank you very much!
Great Video
good stuff. thank you
well done!
Hi , Thanks for the video . When trying to create demo-pod.yaml in step "Deploy a demo that needs mutation", it failed with an error "Error from server ( Internal Server ) : error when creating a demo -pod.yaml : faield called webhook "example-webhook.default.svc.clsuter.local: Post example-webhook.default.svc:443/mutate? =timeout=30s" Service unavaialble
kubectl logs example-webhook-589559c84-6179q
Error from server: Get ":port/containerLogs/default/example-webhook-589559c84-6179q/server/:" Service Unavailable
Do I need to create a policy to map Service ip with that of the fqdn "example-webhook.default.svc.clsuter.local" ?
God damn this is good, jeebus.
Great content plus I see the new theme for vscode love it!
👊🏽
When did Arnold Schwalzneger start programing?
I'll be back
geat bro luv from pakistan.
Congrats, but I think there is a little mistake in the talk. This kind of webhooks does not intercept the request before it hits the API server, opposite, these webhooks kicked in after the request is authenticated and authorized by the API server but prior to persistence of the request to the etcd.
I know some people understand this but this is soooooooo complicated for noobs like me. How does everything fit together?? I got so lost.
Don't feel too intimidated by this concept in Kubernetes. Building admission controllers is a pretty advanced topic and is a mechanism of extending the platform to build features on top of it.
For example, Ingress controllers, automated cert rotation services like lets encrypt , Vault integration and more.
The pieces of the puzzle is 1) your deployment with a service that has an endpoint that can receive an admission review request.
2) Define a Webhook YAML which tells kubernetes when and how to call your service. (tricky part is it needs TLS)
3) The debugging and logging is the trickiest part :)
👍
Got too overwhelming for me as a beginner