際際滷

際際滷Share a Scribd company logo

A Heart Rate Validating Admission Webhook

Download as PPTX, PDF
Tom Gallacher
Tom Gallacher

A talk presented by Tom Gallacher @ Container Camp Super Meetup 2018 on the 28th August 2018 in London.

1 of 24
Download to read offline
A Heart Rate Validating Admission Webhook In Kubernetes
Im Tom Gallacher Aka. @tomgco
Anatomy of Admission Webhooks
A Heart Rate Validating Admission Webhook
A Heart Rate Validating Admission Webhook
A Heart Rate Validating Admission Webhook
CardioOps
But how do I make it?
Validating Webhook Configuration - Can be written in any language - Must be TLS Terminated - Only can be performed on CREATE, UPDATE, CONNECT or * Operations. - Is broken on pod/exec and pod/port-forward as of v1.11.2 - For me in Node.js - Running locally, but could use another cluster / Lambdas - Yay! - This means that we cannot validate requests such as reads and watches. - But this is a bug (some patches have been merged to master)
Lets wire it together
.
- Rules specify what to validate - faiurePolicy is either Ignore (fail open) or Fail (fail closed) Finally we apply this to the cluster with: kubectl apply -f - apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: deny-heartrate webhooks: - name: deny-heartrate.yld.io rules: - apiGroups: - "" apiVersions: - "v1" operations: - "CREATE" resources: - "pods" failurePolicy: Fail clientConfig: url: "https://192.168.99.1:8080" caBundle: "%%CERTIFICATE%%"
a sprinkle of JavaScript (or any language you want) - Implement the bluetooth GATT spec for heart rates: org.bluetooth.characteristic.heart_rate_measurement - Hardcode to my specific device MAC (for now) d7046c50aa65 - Create a HTTPS server listening on 8080 - Respond with: { response: { allowed: false, status: { status: Failure, message: , reason: , code: 402 }}}
Step 1 - create some new pods and watch them fail!
A Heart Rate Validating Admission Webhook
Step 2 - Start the Server (set @200 BPM, hopefully I am not that nervous)
A Heart Rate Validating Admission Webhook
Step 3 - Start the Server (set @60 bpm, and my pod should create)
A Heart Rate Validating Admission Webhook
Step 4 - gate your kubernetes resources based on your own heart rate* :D
*Not production ready
Conclusions Many uses, why not give them a go?
Questions?
Tom Gallacher @tomgco @yldio

More Related Content

A Heart Rate Validating Admission Webhook

  • 1. A Heart Rate Validating Admission Webhook In Kubernetes
  • 8. But how do I make it?
  • 9. Validating Webhook Configuration - Can be written in any language - Must be TLS Terminated - Only can be performed on CREATE, UPDATE, CONNECT or * Operations. - Is broken on pod/exec and pod/port-forward as of v1.11.2 - For me in Node.js - Running locally, but could use another cluster / Lambdas - Yay! - This means that we cannot validate requests such as reads and watches. - But this is a bug (some patches have been merged to master)
  • 10. Lets wire it together
  • 11. .
  • 12. - Rules specify what to validate - faiurePolicy is either Ignore (fail open) or Fail (fail closed) Finally we apply this to the cluster with: kubectl apply -f - apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: deny-heartrate webhooks: - name: deny-heartrate.yld.io rules: - apiGroups: - "" apiVersions: - "v1" operations: - "CREATE" resources: - "pods" failurePolicy: Fail clientConfig: url: "https://192.168.99.1:8080" caBundle: "%%CERTIFICATE%%"
  • 13. a sprinkle of JavaScript (or any language you want) - Implement the bluetooth GATT spec for heart rates: org.bluetooth.characteristic.heart_rate_measurement - Hardcode to my specific device MAC (for now) d7046c50aa65 - Create a HTTPS server listening on 8080 - Respond with: { response: { allowed: false, status: { status: Failure, message: , reason: , code: 402 }}}
  • 14. Step 1 - create some new pods and watch them fail!
  • 16. Step 2 - Start the Server (set @200 BPM, hopefully I am not that nervous)
  • 18. Step 3 - Start the Server (set @60 bpm, and my pod should create)
  • 20. Step 4 - gate your kubernetes resources based on your own heart rate* :D
  • 22. Conclusions Many uses, why not give them a go?

Editor's Notes

  • #5: There are two main Admission Webhook types, Mutating admission webhooks allows a webhook on a matched API request to change the content of a resource, an example of this could be modifying all pods at creation so that they are created with a specific label. Hence the mutation part of the name, You could also use this to inject sidecar containers into pods as well.
  • #6: Validating Admission Webhooks, allow us to validate these object schemas before persistence, allowing us to perform custom resource validation, from validating all pods are labeled correctly or other extreme examples, which I will show you tonight.
  • #7: How about only allow the creation of Pods when an operators heart rate is above a certain BPM threshold?
  • #8: I call it CardioOps
  • #12: First up we need some hardware, I am currently wearing this, but others are available! (It uses Bluetooth)