THREAD: How does the Kubernetes API work?
The Kubernetes API is made of several smaller components.
In this thread you will learn about the component involved in storing resources into etcd.
The Kubernetes API is made of several smaller components.
In this thread you will learn about the component involved in storing resources into etcd.
1/10
When you type 𝚔𝚞𝚋𝚎𝚌𝚝𝚕 𝚊𝚙𝚙𝚕𝚢 -𝚏 𝚖𝚢.𝚢𝚊𝚖𝚕 your YAML is sent to the API and stored in etcd.
𝘉𝘶𝘵 𝘸𝘩𝘢𝘵 𝘪𝘴 𝘵𝘩𝘦 𝘈𝘗𝘐 𝘥𝘰𝘪𝘯𝘨?
When you type 𝚔𝚞𝚋𝚎𝚌𝚝𝚕 𝚊𝚙𝚙𝚕𝚢 -𝚏 𝚖𝚢.𝚢𝚊𝚖𝚕 your YAML is sent to the API and stored in etcd.
𝘉𝘶𝘵 𝘸𝘩𝘢𝘵 𝘪𝘴 𝘵𝘩𝘦 𝘈𝘗𝘐 𝘥𝘰𝘪𝘯𝘨?
2/10
The API has a single block in the diagram, but the reality is that several components are involved in processing your request.
The first component in the API is the HTTP handler.
You can think about it a web server ready to receive HTTP requests:
The API has a single block in the diagram, but the reality is that several components are involved in processing your request.
The first component in the API is the HTTP handler.
You can think about it a web server ready to receive HTTP requests:
3/10
In that part, the API has to make sure that:
- You have access to the cluster (authentication)
- You can create, delete, list, etc. resources (authorisation)
This is the part where the RBAC rules are evaluated.
In that part, the API has to make sure that:
- You have access to the cluster (authentication)
- You can create, delete, list, etc. resources (authorisation)
This is the part where the RBAC rules are evaluated.
4/10
So you're authenticated and you can create Pods, what's next?
The API passes the request to the Mutation Admission Controller.
This component is in charge of looking at your YAML and modifying it.
It could add a default storage class (if you forgot one) — as an example.
So you're authenticated and you can create Pods, what's next?
The API passes the request to the Mutation Admission Controller.
This component is in charge of looking at your YAML and modifying it.
It could add a default storage class (if you forgot one) — as an example.
5/10
𝘈𝘧𝘵𝘦𝘳 𝘢𝘭𝘭 𝘮𝘰𝘥𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴, 𝘥𝘰𝘦𝘴 𝘵𝘩𝘦 𝘗𝘰𝘥 𝘴𝘵𝘪𝘭𝘭 𝘭𝘰𝘰𝘬 𝘭𝘪𝘬𝘦 𝘢 𝘗𝘰𝘥?
The Schema Validation component makes sure that the resource is valid against the internal schema.
You don't want malformed YAML to be stored in the cluster.
𝘈𝘧𝘵𝘦𝘳 𝘢𝘭𝘭 𝘮𝘰𝘥𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴, 𝘥𝘰𝘦𝘴 𝘵𝘩𝘦 𝘗𝘰𝘥 𝘴𝘵𝘪𝘭𝘭 𝘭𝘰𝘰𝘬 𝘭𝘪𝘬𝘦 𝘢 𝘗𝘰𝘥?
The Schema Validation component makes sure that the resource is valid against the internal schema.
You don't want malformed YAML to be stored in the cluster.
6/10
If you tried to deploy a Pod in a namespace that doesn't exist, who stops you?
The Validation Admission Controller stops you.
Are you trying to deploy more resources than your Quota?
The controller stops you again.
If you tried to deploy a Pod in a namespace that doesn't exist, who stops you?
The Validation Admission Controller stops you.
Are you trying to deploy more resources than your Quota?
The controller stops you again.
7/10
If you managed to pass the Validation Admission Controller, your resource is safely stored in etcd.
Well done!
Now that you know about the Mutating Admission controller wouldn't be great if you could design your own?
Good news, you can.
If you managed to pass the Validation Admission Controller, your resource is safely stored in etcd.
Well done!
Now that you know about the Mutating Admission controller wouldn't be great if you could design your own?
Good news, you can.
8/10
You can register your scripts with the Mutating Admission Controller.
You can also do the same with the Validating Admission Controller.
You could design your checks and decide if a resource should be rejected from reaching etcd.
You can register your scripts with the Mutating Admission Controller.
You can also do the same with the Validating Admission Controller.
You could design your checks and decide if a resource should be rejected from reaching etcd.
9/10
Two excellent examples of custom Admission controllers:
- Istio automatically injects an extra container to all Pods (mutation)
- Gatekeeper (Open Policy Agent) checks your resources against policies and reports violations (validation)
Two excellent examples of custom Admission controllers:
- Istio automatically injects an extra container to all Pods (mutation)
- Gatekeeper (Open Policy Agent) checks your resources against policies and reports violations (validation)
10/10
If you wish to explore more, check out this article on custom admission controllers banzaicloud.com
Also @echorand is about to publish an article on the Learnk8s blog about custom validation checks. Subscribe to the Learnk8s newsletter here learnk8s.io
If you wish to explore more, check out this article on custom admission controllers banzaicloud.com
Also @echorand is about to publish an article on the Learnk8s blog about custom validation checks. Subscribe to the Learnk8s newsletter here learnk8s.io
Loading suggestions...