DEV Community: Felipe Espinoza The latest articles on DEV Community by Felipe Espinoza (@fdns). https://dev.to/fdns https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F612500%2Ff9285120-9431-463a-b562-6c7c2b33df5b.jpeg DEV Community: Felipe Espinoza https://dev.to/fdns en Writing a Kubernetes Admission Controller Felipe Espinoza Sun, 11 Apr 2021 16:05:13 +0000 https://dev.to/fdns/writing-a-kubernetes-admission-controller-4eko https://dev.to/fdns/writing-a-kubernetes-admission-controller-4eko <p>With the deprecation of <a href="https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/" rel="noopener noreferrer">PSP</a> on Kubernetes v1.21, we will have to migrate to other methods to control the resource permissions in a cluster.</p> <p>One case that I wanted to handle was running an untrusted job in a cluster, to help review student’s homework and leveraging kubernetes for resource allocation and security. Here we will explore how to develop a new admission controller, that will verify the fields of new jobs on a given namespace are secure enough to run untrusted code in a safe way.</p> <h1> Recommended policy enforcement applications </h1> <p>If you want to start defining policies for a production cluster, you will probably want to use a ready to use application, which have predefined policies, and setup custom policies easily by using custom resources. Some of them are:</p> <ul> <li><a href="https://github.com/kyverno/kyverno" rel="noopener noreferrer">Kyverno</a></li> <li><a href="https://github.com/open-policy-agent/gatekeeper" rel="noopener noreferrer">OPA/Gatekeeper</a></li> <li><a href="https://github.com/cruise-automation/k-rail" rel="noopener noreferrer">k-rail</a></li> </ul> <h1> Cluster requirements </h1> <p>The api-server must have the plugin <strong>ValidatingAdmissionWebhook</strong> enabled (If you want to modify the resources, you also need <strong>MutatingAdmissionWebhook</strong>). Note that these plugins are disabled by default in a kind cluster.</p> <h1> Application goal </h1> <p>In our example, we will write a validating admission webhook (So we will not modify the resource) that will check new jobs created in a namespace, verifying as many security options of the pod as we can (running as non-root, using gvisor as sandbox, and many others). The target container image that we are targeting is an untrusted job that can be potentially malicious.</p> <h1> Writing the admission controller </h1> <p>Our admission controller will be written in <strong>Go</strong>, but you can use any language you know as the api use normal https json requests.</p> <p>I will be trimming some of the code to make it more readable. The full source code can be found at <a href="https://github.com/fdns/simple-admission" rel="noopener noreferrer">https://github.com/fdns/simple-admission</a></p> <h2> Listening to admission requests </h2> <p>First, we will need to create a HTTPS listener (TLS is mandatory). You can use any http path to serve the requests, but you must update the manifest afterwards with the correct location when we define the ValidatingAdmissionWebhook.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// ...</span> <span class="n">certs</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">tls</span><span class="o">.</span><span class="n">LoadX509KeyPair</span><span class="p">(</span><span class="n">certFile</span><span class="p">,</span> <span class="n">keyFile</span><span class="p">)</span> <span class="n">server</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">":%v"</span><span class="p">,</span> <span class="n">port</span><span class="p">),</span> <span class="n">TLSConfig</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">tls</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">Certificates</span><span class="o">:</span> <span class="p">[]</span><span class="n">tls</span><span class="o">.</span><span class="n">Certificate</span><span class="p">{</span><span class="n">certs</span><span class="p">},</span> <span class="p">},</span> <span class="p">}</span> <span class="c">// Define server handler</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">AdmissionHandler</span><span class="p">{</span> <span class="n">RuntimeClass</span><span class="o">:</span> <span class="n">runtimeClass</span><span class="p">,</span> <span class="p">}</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/validate"</span><span class="p">,</span> <span class="n">handler</span><span class="o">.</span><span class="n">handler</span><span class="p">)</span> <span class="n">server</span><span class="o">.</span><span class="n">Handler</span> <span class="o">=</span> <span class="n">mux</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Listening on port %v"</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">server</span><span class="o">.</span><span class="n">ListenAndServeTLS</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="s">""</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Failed to listen and serve webhook server: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}()</span> <span class="c">// Listen to the shutdown signal</span> <span class="n">signalChan</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="k">chan</span> <span class="n">os</span><span class="o">.</span><span class="n">Signal</span><span class="p">,</span> <span class="m">1</span><span class="p">)</span> <span class="n">signal</span><span class="o">.</span><span class="n">Notify</span><span class="p">(</span><span class="n">signalChan</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">SIGINT</span><span class="p">,</span> <span class="n">syscall</span><span class="o">.</span><span class="n">SIGTERM</span><span class="p">)</span> <span class="o">&lt;-</span><span class="n">signalChan</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Shutting down webserver"</span><span class="p">)</span> <span class="n">server</span><span class="o">.</span><span class="n">Shutdown</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span> <span class="p">}</span> </code></pre> </div> <h2> Handling admission request </h2> <p>When receiving the request, you must load the body as an AdmissionReview object. This object contains all the information of the objects that is being created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="n">admission</span> <span class="s">"k8s.io/api/admission/v1beta1"</span> <span class="n">batchv1</span> <span class="s">"k8s.io/api/batch/v1"</span> <span class="n">k8meta</span> <span class="s">"k8s.io/apimachinery/pkg/apis/meta/v1"</span> <span class="p">)</span> <span class="k">func</span> <span class="p">(</span><span class="n">handler</span> <span class="o">*</span><span class="n">AdmissionHandler</span><span class="p">)</span> <span class="n">handler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">body</span> <span class="p">[]</span><span class="kt">byte</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Body</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">data</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ioutil</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">body</span> <span class="o">=</span> <span class="n">data</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Error %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Error reading body"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="n">request</span> <span class="o">:=</span> <span class="n">admission</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">request</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Error parsing body %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Error parsing body"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">checkRequest</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <h2> Validating the request </h2> <p>In the <strong>checkRequest</strong> function, we will check if we can handle the resource, verifying the resource group, kind, operation and namespace.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">checkRequest</span><span class="p">(</span><span class="n">request</span> <span class="o">*</span><span class="n">admission</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">,</span> <span class="n">handler</span> <span class="o">*</span><span class="n">AdmissionHandler</span><span class="p">)</span> <span class="p">(</span><span class="kt">bool</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">RequestKind</span><span class="o">.</span><span class="n">Group</span> <span class="o">!=</span> <span class="s">"batch"</span> <span class="o">||</span> <span class="n">request</span><span class="o">.</span><span class="n">RequestKind</span><span class="o">.</span><span class="n">Kind</span> <span class="o">!=</span> <span class="s">"Job"</span> <span class="o">||</span> <span class="n">request</span><span class="o">.</span><span class="n">Operation</span> <span class="o">!=</span> <span class="s">"CREATE"</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Skipped resource [%v,%v,%v], check rules to exclude this resource"</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">RequestKind</span><span class="o">.</span><span class="n">Group</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">RequestKind</span><span class="o">.</span><span class="n">Kind</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">Operation</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>The resource body (In our case, a Job) must un unmarshal again before we can verify the parameters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">var</span> <span class="n">job</span> <span class="o">*</span><span class="n">batchv1</span><span class="o">.</span><span class="n">Job</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">Object</span><span class="o">.</span><span class="n">Raw</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">job</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Error parsing job %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">checkJob</span><span class="p">(</span><span class="n">job</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span> </code></pre> </div> <h2> Checking the resource </h2> <p>On the <strong>checkJob</strong>, we will have full access to the resource parameters. Most of the parameters that are not defined will be <strong>nil</strong>, so you must verify that the parameters is defined before getting its value.</p> <p>I will copy some of the rules as an example, and the full list that I defined can be found <a href="https://github.com/fdns/simple-admission/blob/e09fb1676442122e8518547f20dedf12332ea061/serve.go#L97" rel="noopener noreferrer">here</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">checkJob</span><span class="p">(</span><span class="n">request</span> <span class="o">*</span><span class="n">batchv1</span><span class="o">.</span><span class="n">Job</span><span class="p">,</span> <span class="n">handler</span> <span class="o">*</span><span class="n">AdmissionHandler</span><span class="p">)</span> <span class="p">(</span><span class="kt">bool</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">Spec</span><span class="o">.</span><span class="n">ActiveDeadlineSeconds</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="o">*</span><span class="n">request</span><span class="o">.</span><span class="n">Spec</span><span class="o">.</span><span class="n">ActiveDeadlineSeconds</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"activeDeadlineSeconds must be set"</span><span class="p">)</span> <span class="p">}</span> <span class="n">spec</span> <span class="o">:=</span> <span class="n">request</span><span class="o">.</span><span class="n">Spec</span><span class="o">.</span><span class="n">Template</span><span class="o">.</span><span class="n">Spec</span> <span class="k">if</span> <span class="n">spec</span><span class="o">.</span><span class="n">RuntimeClassName</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="o">*</span><span class="n">spec</span><span class="o">.</span><span class="n">RuntimeClassName</span> <span class="o">!=</span> <span class="n">handler</span><span class="o">.</span><span class="n">RuntimeClass</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"wrong RuntimeClass %v is set for job %v, must be %v"</span><span class="p">,</span> <span class="n">spec</span><span class="o">.</span><span class="n">RuntimeClassName</span><span class="p">,</span> <span class="n">request</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">handler</span><span class="o">.</span><span class="n">RuntimeClass</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">spec</span><span class="o">.</span><span class="n">HostNetwork</span> <span class="o">!=</span> <span class="no">false</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"HostNetwork must not be set"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">spec</span><span class="o">.</span><span class="n">SecurityContext</span> <span class="o">!=</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">spec</span><span class="o">.</span><span class="n">SecurityContext</span><span class="o">.</span><span class="n">Sysctls</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Sysctls must be empty"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// ...</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">container</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">spec</span><span class="o">.</span><span class="n">Containers</span> <span class="p">{</span> <span class="k">if</span> <span class="n">container</span><span class="o">.</span><span class="n">SecurityContext</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"SecurityContext must be set for the container"</span><span class="p">)</span> <span class="p">}</span> <span class="n">context</span> <span class="o">:=</span> <span class="o">*</span><span class="n">container</span><span class="o">.</span><span class="n">SecurityContext</span> <span class="k">if</span> <span class="n">context</span><span class="o">.</span><span class="n">RunAsNonRoot</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="o">*</span><span class="n">context</span><span class="o">.</span><span class="n">RunAsNonRoot</span> <span class="o">!=</span> <span class="no">true</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"RunAsNonRoot must be set per container"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// ...</span> <span class="p">}</span> <span class="k">return</span> <span class="no">true</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h2> Returning to the api-server </h2> <p>After doing all the validations, you must return an <strong>AdmissionResponse</strong> object that is json encoded. In this object we will define if the objects is allowed or not in our cluster. We can also append a message that will be displayed when the resource is not allowed, so the developer can fix the resource according to the conditions you define.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">checkRequest</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span> <span class="n">response</span> <span class="o">:=</span> <span class="n">admission</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="n">result</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">response</span><span class="o">.</span><span class="n">Result</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">k8meta</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="n">Message</span><span class="o">:</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%v"</span><span class="p">,</span> <span class="n">err</span><span class="p">),</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">k8meta</span><span class="o">.</span><span class="n">StatusReasonUnauthorized</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">outReview</span> <span class="o">:=</span> <span class="n">admission</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{</span> <span class="n">TypeMeta</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="n">TypeMeta</span><span class="p">,</span> <span class="n">Request</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">Response</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">response</span><span class="p">,</span> <span class="p">}</span> <span class="n">json</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">outReview</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"Error encoding response %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">json</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Error writing response %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"Error writing response: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Building our project </h2> <p>As this is a standard go project, you can use a very simple Dockerfile to create the image. This image can be built by running <em>docker build . --tag fdns/simple-admission:latest</em> (You can change the tag to the one you like).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM golang:1.16.2 as builder WORKDIR $GOPATH/src/github.com/fdns/simple-admission COPY go.mod . COPY go.sum . RUN go mod download COPY . . RUN CGO_ENABLED=0 go build -o /go/bin/simple-admission FROM scratch COPY --from=builder /go/bin/simple-admission /go/bin/simple-admission ENTRYPOINT ["/go/bin/simple-admission"] </code></pre> </div> <p>The only thing left is uploading it to our cluster.</p> <h1> Uploading controller to a kubernetes cluster </h1> <h2> Create TLS certificates </h2> <p>As the webhook require the use of HTTPS to work, we can create our own CA and certificate for the controller. The CA keys can be dropped as soon as we sign the client certificate, as the CA bundle is included in the ValidatingAdmissionWebhook object.</p> <p>As the requests will come from a service object, you will want to define as altnames in the certificate all the variations to call the services. In the configuration, this will look as something like the following.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[alt_names] DNS.1 = ${service} DNS.2 = ${service}.${namespace} DNS.3 = ${service}.${namespace}.svc </code></pre> </div> <p>To stop copying so much code, you can find a simple script to generate the certificate at <a href="https://github.com/fdns/simple-admission/blob/master/generate_certs.sh" rel="noopener noreferrer">https://github.com/fdns/simple-admission/blob/master/generate_certs.sh</a>, which we will call with the service name and namespace of our admission controller (For example, <em>./generate_certs.sh simple-admission default</em>).</p> <p>The generated certificates must be mounted as a secret, as we will need to mount them in our application (save the <strong>ca.pem</strong> file as we will need it later).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="kc">null</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admission-certs</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">data</span><span class="pi">:</span> <span class="na">server-key.pem</span><span class="pi">:</span> <span class="s">$(cat certs/server-key.pem | base64 | tr -d '\n')</span> <span class="na">server.pem</span><span class="pi">:</span> <span class="s">$(cat certs/server.crt | base64 | tr -d '\n')</span> </code></pre> </div> <h2> Creating the service and webhook </h2> <p>You can create the deployment and services the same way as any other deployment in your cluster. Here it is recommended to increase the replica count to increase the availability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">strategy</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">image</span><span class="pi">:</span> <span class="s">fdns/simple-admission:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admission-certs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/certs</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admission-certs</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">admission-certs</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="kc">null</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">443-8443</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <h2> Creating the ValidatingAdmissionWebhook </h2> <p>Finally, we will create the <strong>ValidatingAdmissionWebhook</strong>. We can define multiple webhooks, where in each one we must tell kubernetes the service, path and CA to send the request to the admission controller. For each one we can define the rules to filter the requests that are sent to our controller, where in this case we will filter for <strong>jobs</strong> resources in namespaces <strong>labeled</strong> with the name default (the namespace <strong>MUST</strong> be labeled in our example).</p> <p>In case you want to audit your webook before applying it to your cluster, you can change the failurePolicy from <strong>Fail</strong> to <strong>Ignore</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">admissionregistration.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ValidatingWebhookConfiguration</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission.default.cluster.local</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">webhooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission.default.cluster.local</span> <span class="na">clientConfig</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">simple-admission</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/validate"</span> <span class="na">caBundle</span><span class="pi">:</span> <span class="s">$(cat certs/ca.pem | base64 | tr -d '\n')</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">batch"</span><span class="pi">]</span> <span class="na">apiVersions</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">v1"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">jobs"</span><span class="pi">]</span> <span class="na">operations</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CREATE"</span><span class="pi">]</span> <span class="na">scope</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">name</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">default"</span><span class="pi">]</span> <span class="na">admissionReviewVersions</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">v1"</span><span class="pi">]</span> <span class="na">sideEffects</span><span class="pi">:</span> <span class="s">None</span> <span class="na">failurePolicy</span><span class="pi">:</span> <span class="s">Fail</span> </code></pre> </div> <h2> Testing our admission controller </h2> <p>To the newly applied admission controller, you can simply try to create a basic job running <em>kubectl create job test --image busybox</em>, which in our case will output the following message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>error: failed to create job: admission webhook "simple-admission.default.cluster.local" denied the request: activeDeadlineSeconds must be set </code></pre> </div> <h1> Conclusions </h1> <p>Creating an admission controller is not difficult, but making sure all the parameters to make your containers secure is a difficult task, as not all fields are generally known, and new fields must be taken into account when kubernetes release a new version.</p> <p>When creating a new admission controller, you should try to target a single problem, like image verification or single fields of the resources like runtimeClass over your cluster. In case you need more complex rules, the use of the already available admission controllers is recommended, as you can define the rules in your own CRD and allow you to iterate faster (some of them have audit mode so you can check your cluster before enforcing a rule).</p> kubernetes docker go