pod-exec-guard-kubewebhook-tutorial

Introduction

This is a tutorial that shows how to develop a Kubernetes admission webhook.

To explain this, the tutorial is split in 5 videos.

We will create a webhook from scratch that will try to recreate the webhook that this post describes.

The problem to solve

When a user makes an exec operation on a pod, we mark that pod and set a TTL, when that TTL expires, the pod will be deleted.

The tutorial is based on kubewebhook to develop the webhook, and uses kube-janitor to delete the pods after a specific TTL expires.

Disclaimer

• The webhook it is not production ready.
• Its just made as a tutorial step by step.
• It would need more structure, tests, docs, metrics...

Content

• Watch video 1 (Download)
  • Introduction and context.
• Watch video 2 (Download)
  • Create app structure
  • Create webhook without domain logic using kubewebhook.
  • Running application.
• Watch video 3 (Download)
  • Set up dev environment (dev cluster with kind, certs with mkcert, tunnels with ngrok, webhook registration).
  • End-2-end manual testing to check webhook is being called.
• Watch video 4 (Download)
  • Implement domain logic of webhook (Marking pod as drifted)
  • End-2-end manual testing to check webhook is marking pods.
• Watch video 5 (Download)
  • Deploy Kube-janitor.
  • Implement domain logic of webhook (Marking pod with expiration time).
  • End-2-end manual testing to check webhook sets expiration and kube-janitor deletes.