K8s API Admission Control and Policy

This post provides an overview of Admission Controllers in Kubernetes, including their implementation and usage. Third-party admission controllers can be integrated into kube-apiserver by implementing them as admission webhooks. Many policy engines have appeared in the community on top of admission webhooks. This post introduces two policy engines, OPA/Gatekeeper and Kyverno. Finally, it covers the official policy engine, ValidatingAdmissionPolicy.

K8s 多版本 API 转换最佳实践

规范的 K8s APIVersion 往往会经历由 alpha 到 beta 最后到 stable 的过程,API 转换就成了应有之义。本文提供多版本 API 转换的最佳实践。本文详细讲述了基于 CRD 提供多版本 API 时的困境和解决办法,并提供了一个基于最佳实践的 Conversion Webhook Server 实现

慎重选用 Runtime 类框架开发 K8s apiserver

apiserver-runtime 本身也是基于 k8s.io/apiserver 提供增强。当项目需要灵活定制策略时,就不可避免需要直接使用底层库。结果是,开发者除了要熟悉 k8s.io 库,还需要再学一套框架。那为什么不从一开始直接使用 k8s.io/apiserver?

实现一个极简 K8s apiserver

本文实现了一个符合 Kubernetes REST 风格的极简 apiserver,代码量只有 500 行左右。无论是单独运行还是集成到 K8s 集群,它都支持 kubectl 增删改查操作。动手把玩这个 apiserver,可以很好理解 K8s apiserver aggregation 原理,以及 kubectl 与 apiserver 的交互机制

K8s CustomResourceDefinitions (CRD) 原理

K8s CustomResourceDefinition (CRD) 为使用者提供了开箱即用的 REST API 拓展能力。使用方只需创建一份 CRD 声明,kube-apiserver 就会自动提供一套成熟的 HTTP REST API,并直接将 Custom Resources 存储到背后存储(通常是 etcd)中。本文由浅入深,先展示了 CRD 的基本使用方式、kubectl 与对应 Custom API 模块的交互原理,再深入探究 CRD 在 kube-apiserver 内部的实现原理,最后对其特性的利弊做了总结

Enable Kubelet Serving Certificates in Kubernetes Setup by Kubeadmin

Setting up a Kubernetes cluster with a newly deployed metrics server often results in the following error message: Failed to scrape node, err=Get https://172.18.0.3:10250/metrics/resource: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs node=kind-worker. This can be frustrating. In this post, I will demonstrate how to solve this problem in KinD.