The latest articles on Forem by Muaaz Saleem (@muaazsaleem). https://forem.com/muaazsaleem https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F509311%2F4ef7a8a3-0887-48f2-8dd2-6e1575f6d679.jpeg https://forem.com/muaazsaleem en Muaaz Saleem Sun, 17 Jan 2021 17:40:17 +0000 https://forem.com/muaazsaleem/3-principles-i-wanna-apply-at-work-in-2021-676 https://forem.com/muaazsaleem/3-principles-i-wanna-apply-at-work-in-2021-676 <p>I'm a big fan of goals. They can be really motivating, especially when I have a lot of control over how I go about achieving them. I've been struggling with having productive S.M.A.R.T goals at work though.</p> <p>So this year I'm trying out something new. Instead of any specific goals, I hope to apply these three principles to the challenges that I come upon professionally.</p> <h3> Accept the Chaos </h3> <p>A job as a Site Reliability Engineer is an adventure at best and total mayhem on the, not so best, days. There are of course, ideals of minimizing interruptions and reliable planning that we embrace but I think it's healthy to accept that at least some chaos is just part of the job. </p> <h3> Embrace Spontaneity </h3> <p>Sometimes I hear about a project or an idea and I just completely fall in love with it. I just can't shake its sheer possibility. This year, I wanna let myself do that more often! If some chaos comes with the gig then making the best of an exciting opportunity seems like the best way to grow.</p> <h3> Reduce Work In Progress </h3> <p>After we begin a project and before we ship it to our users, there's work in progress. Every project is a work in progress for a period, some for longer than others. </p> <p>Some Work In Progress is good for me! It means we're working on non-trivial stuff. It also helps me to have a few things in progress, so when I'm stuck on or bored/tired of a project for the day, I can switch to another fairly productive thing. </p> <p>Too much work in progress is bad for me! I have to switch between projects too often and I usually don't make enough progress on any single one.</p> <h3> Excited to look back </h3> <p>I'm excited to look back at this commitment and see the effect that it would've had on my professional life!</p> career Muaaz Saleem Sun, 17 Jan 2021 17:38:21 +0000 https://forem.com/muaazsaleem/pros-and-cons-of-using-client-go-in-kubernetes-controllers-25fa https://forem.com/muaazsaleem/pros-and-cons-of-using-client-go-in-kubernetes-controllers-25fa <p>When writing a kubernetes controller I often use <a href="https://github.com/kubernetes/client-go">client-go</a> to talk to the Kubernetes API. I'm beginning to realize though, that client-go isn't always the best approach, sometimes it can be simpler to use a hand rolled HTTP client, based on go's <code>net/http</code> package.</p> <p>Today, I want to share some of the Pros &amp; Cons of using client-go, as I understand them, in Kubernetes controllers or other go applications.</p> <h3> Pros of using client-go </h3> <h4> Helpful Utilities </h4> <p>client-go comes with helpful utilities e.g to create in-cluster or out-of-cluster kubeconfig and authenticate against the API Server i.e <code>kubernetes.NewForConfig</code> and <code>clientcmd.BuildConfigFromFlags</code> respectively. </p> <p>I end up using these in every Kubernetes app that I write.</p> <h3> Implementations for all kubernetes API Objects </h3> <p>I find unmarshalling kubernetes resources from JSON to go, pretty cumbersome, particularly if I need to access a deeply nested field e.g reading the <code>replicas</code> from the <code>status</code> of a <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#deployment-v1-apps">Deployment</a> object.</p> <p>client-go handles marhsalling/unmarshalling of all <a href="https://github.com/kubernetes/client-go/#compatibility-your-code---client-go">compatible</a> Kubernetes resources out of the box. So that's a big help.</p> <h3> Powerful abstractions for common use casses </h3> <p>Common use cases such as watching resources or testing API calls are well supported with abstractions like <a href="https://github.com/kubernetes/client-go/tree/master/examples/workqueue">Shared Informers</a> and <a href="https://github.com/kubernetes/client-go/tree/master/examples/fake-client">fake-client</a>.</p> <h3> Cons of using client-go </h3> <h4> Cognitive Overload </h4> <p>This by far the biggest frustration I have when using client-go. Just figuring out the right <code>k8s.io/api</code> &amp; <code>k8s.io/api-machinery</code> dependencies to match my <code>k8s.io/client-go</code> version used to be a struggle. Thankfully with go modules and the new <a href="https://github.com/kubernetes/client-go#versioning">versioning scheme</a> that's really improved.</p> <p>I still get lost in all the imports regularly, with the sheer no. of structs and interfaces, it's not always clear if I actually need everything I'm importing. Integration tests written with the fake client can also be daunting for a new person to understand. </p> <p>Sometimes this is just symptom of the scarce docs availble!</p> <h4> Scarce Docs </h4> <p>Even though there are now actually some hello-world examples in the client-go repo, docs for the go client are still pretty scarce. The first time I had to learn what Informers were, my choices? A random blog post or the actual code. </p> <p>This means that my usage of the library is only as good as the latest blogpost/book/code I've read. I can understand feeling that way about a more complicated tool, like a Database, but should I have to feel this way about an HTTP client?</p> <h3> Not the most idiomatic go-code </h3> <p>Using client-go sometimes requires comitting generated code or dealing with <code>*string</code> types. The library isn't always an example of the most idomatic go code.</p> <p>This might be totally OK for experience go devs, but as someone still learning how to write good go code. I find this confusing. </p> <h3> Further Resources </h3> <p>I still think client-go is worth using for full fledge controllers, especially when dealing with multiple Kubernetes objects. For simple scripts, I'd like to invest more in just using plain go.</p> <p>If you'd like to learn more about client-go, I can't recommend <a href="https://programming-kubernetes.info/">Programming Kubernetes</a> by Michael Hausenblas and Stefan Schimanski enough!</p> <p>Some other places:</p> <ul> <li><a href="https://github.com/kubernetes/client-go/">github.com/../client-go</a></li> <li><a href="https://dev.to/blog/5-time-saving-things-about-client-go-i-didnt-know">5 Time saving things about client-go, I didn't know!</a></li> <li><a href="https://dev.to/blog/creating-a-go-kubernetes-client-with-client-go">Creating a Go Kubernetes client with client-go</a></li> </ul> kubernetes go Muaaz Saleem Sun, 17 Jan 2021 17:35:50 +0000 https://forem.com/muaazsaleem/creating-a-go-kubernetes-client-with-client-go-jlf https://forem.com/muaazsaleem/creating-a-go-kubernetes-client-with-client-go-jlf <p>I mostly use <a href="https://github.com/kubernetes/client-go">client-go</a> to talk to the Kubernetes API in my <a href="https://golang.org/">go</a> applications.</p> <p>Whenever I'm starting a new project I inevitably have to figure out the setup steps. I thought I'll just document these for myself here.</p> <h3> A <code>client-go</code> "Hello, World!" </h3> <p>Creating a client that implements <code>kubernetes.Interface</code> is just <code>kubernetes.NewForConfig()</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="s">"k8s.io/client-go/kubernetes"</span> <span class="n">client</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">kubernetes</span><span class="o">.</span><span class="n">NewForConfig</span><span class="p">(</span><span class="n">kubeconfig</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unable to create a client: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Creating Client Config </h3> <p>Creating the config defers for go clients within and outside of the clients. I think this is mostly because <a href="https://www.oauth.com/oauth2-servers/access-tokens/">access tokens</a> need to be read to from a mounted file rather than the <a href="https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/">kubeconfig file</a>.</p> <h3> Creating out of cluster config </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="s">"k8s.io/client-go/tools/clientcmd"</span> <span class="n">config</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">clientcmd</span><span class="o">.</span><span class="n">BuildConfigFromFlags</span><span class="p">(</span> <span class="s">""</span><span class="p">,</span> <span class="n">kubeconfigPath</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span> <span class="s">"unable to load kubeconfig from %s: %v"</span><span class="p">,</span> <span class="n">kubeconfigPath</span><span class="p">,</span> <span class="n">err</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Creating in cluster config </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="s">"k8s.io/client-go/rest"</span> <span class="n">config</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rest</span><span class="o">.</span><span class="n">InClusterConfig</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unable to load in-cluster config: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Putting it all together </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"k8s.io/client-go/kubernetes"</span> <span class="s">"k8s.io/client-go/rest"</span> <span class="s">"k8s.io/client-go/tools/clientcmd"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">createClient</span><span class="p">(</span><span class="n">kubeconfigPath</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">kubernetes</span><span class="o">.</span><span class="n">Interface</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">kubeconfig</span> <span class="o">*</span><span class="n">rest</span><span class="o">.</span><span class="n">Config</span> <span class="k">if</span> <span class="n">kubeconfigPath</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">config</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">clientcmd</span><span class="o">.</span><span class="n">BuildConfigFromFlags</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">kubeconfigPath</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unable to load kubeconfig from %s: %v"</span><span class="p">,</span> <span class="n">kubeconfigPath</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">kubeconfig</span> <span class="o">=</span> <span class="n">config</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">config</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rest</span><span class="o">.</span><span class="n">InClusterConfig</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unable to load in-cluster config: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">kubeconfig</span> <span class="o">=</span> <span class="n">config</span> <span class="p">}</span> <span class="n">client</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">kubernetes</span><span class="o">.</span><span class="n">NewForConfig</span><span class="p">(</span><span class="n">kubeconfig</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unable to create a client: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">client</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Testing with Fake Client </h3> <p>When testing <code>client-go</code> code it's useful to use the built-in <a href="https://github.com/kubernetes/client-go/tree/master/examples/fake-client">fake client</a>. Here's a short example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"testing"</span> <span class="s">"k8s.io/client-go/kubernetes/fake"</span> <span class="n">appsv1</span> <span class="s">"k8s.io/api/apps/v1"</span> <span class="n">metav1</span> <span class="s">"k8s.io/apimachinery/pkg/apis/meta/v1"</span> <span class="s">"github.com/stretchr/testify/require"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestKubeClient</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">fc</span> <span class="o">:=</span> <span class="n">fake</span><span class="o">.</span><span class="n">NewSimpleClientset</span><span class="p">(</span><span class="o">&amp;</span><span class="n">exampleDeploy</span><span class="p">)</span> <span class="n">deploy</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fc</span><span class="o">.</span><span class="n">AppsV1</span><span class="p">()</span><span class="o">.</span><span class="n">Deployments</span><span class="p">(</span><span class="s">"ns"</span><span class="p">)</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span> <span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="s">"deployment"</span><span class="p">,</span> <span class="n">metav1</span><span class="o">.</span><span class="n">GetOptions</span><span class="p">{},</span> <span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">NoError</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> </code></pre> </div> <h3> Managing package dependencies </h3> <p><code>client-go</code> version needs to match that of the cluster we're using. I have sometimes had trouble with importing the right <code>k8s.io/api</code> and <code>k8s.io/apimachinery</code> dependencies so here's a example for that as well.</p> <p><strong><code>go.mod</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">module</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">muaazsaleem</span><span class="o">/</span><span class="n">example</span> <span class="k">go</span> <span class="m">1.13</span> <span class="n">require</span> <span class="p">(</span> <span class="c">// we only really need client-go here the right `api` and </span> <span class="c">// `apimachinery` versions "should" get picked up</span> <span class="n">k8s</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">client</span><span class="o">-</span><span class="k">go</span> <span class="n">v0</span><span class="m">.19.0</span> <span class="n">k8s</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">api</span> <span class="n">v0</span><span class="m">.19.0</span> <span class="n">k8s</span><span class="o">.</span><span class="n">io</span><span class="o">/</span><span class="n">apimachinery</span> <span class="n">v0</span><span class="m">.19.0</span> <span class="c">// stuff I use in pretty much all my projects</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">sirupsen</span><span class="o">/</span><span class="n">logrus</span> <span class="n">v1</span><span class="m">.7.0</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">stretchr</span><span class="o">/</span><span class="n">testify</span> <span class="n">v1</span><span class="m">.6.1</span> <span class="p">)</span> </code></pre> </div> <h3> Further Resources </h3> <p>If you'd like to learn more about building things with the Kubernetes API, Vladimir Vivien has a <a href="https://medium.com/programming-kubernetes/building-stuff-with-the-kubernetes-api-part-4-using-go-b1d0e3c1c899">whole series</a> on it.</p> <p>The <code>client-go</code> <a href="https://github.com/kubernetes/client-go/">docs</a> have also improved. There are <a href="https://github.com/kubernetes/client-go/tree/master/examples">examples</a> now!</p> kubernetes go Muaaz Saleem Sun, 17 Jan 2021 17:34:06 +0000 https://forem.com/muaazsaleem/5-time-saving-things-about-client-go-i-didn-t-know-31ji https://forem.com/muaazsaleem/5-time-saving-things-about-client-go-i-didn-t-know-31ji <p><a href="https://github.com/kubernetes/client-go">client-go</a> is the official go client for talking to Kubernetes (k8s) APIs.</p> <p>A while back, I read parts of <a href="https://www.oreilly.com/library/view/programming-kubernetes/9781492047094/">Programming Kubernetes</a> by <a href="https://mhausenblas.info/">Michael Hausenblas</a> &amp; <a href="https://twitter.com/the_sttts?lang=en">Stefan Schimanski</a>. I learned a whole lot about client-go that still helps me.</p> <ol> <li>k8s API is divided into <a href="https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning">apigroups</a>! Core objects don’t (like pods), everything else is pretty much under an API Group</li> <li> <a href="https://github.com/kubernetes/client-go">k8s.io/client-go</a> isn’t enough to talk to kubernetes API, you need <a href="https://github.com/kubernetes/api">k8s.io/api</a> and <a href="https://github.com/kubernetes/apimachinery">k8s.io/apimachinery</a> too <ul> <li>You have to match their versions for it to all work!</li> <li>See the <a href="https://github.com/kubernetes/client-go#versioning">client-go versioning</a> for simple instructions!</li> </ul> </li> <li>Kinds map to resources, resources map to HTTP Paths through RESTMappers, Scheme connects a kind and a Resource</li> <li>Almost always use <a href="https://godoc.org/k8s.io/client-go/tools/cache#NewInformer">informers</a> instead of watch to watch events, the exception is just watching events to log them, then maybe it doesn’t matter. <ul> <li>See the <a href="https://godoc.org/k8s.io/client-go/tools/cache#NewInformer">package docs</a> </li> </ul> </li> <li>Last but not the least, there’s a fake client! You can use it to test your code! <ul> <li>See <a href="https://github.com/kubernetes/client-go/tree/master/examples/fake-client">example</a>!</li> </ul> </li> </ol> <p>There are many <a href="https://github.com/kubernetes/client-go/tree/master/examples">working examples</a> in the upsteam repo now! Check them out to learn more.</p> kubernetes go Muaaz Saleem Sun, 17 Jan 2021 17:32:32 +0000 https://forem.com/muaazsaleem/creating-a-test-http-server-in-go-2349 https://forem.com/muaazsaleem/creating-a-test-http-server-in-go-2349 <p><code>httptest.NewServer</code> gives us the ability to spin up a local HTTP Server. This is very useful say, when <a href="http://hassansin.github.io/Unit-Testing-http-client-in-Go">testing an HTTP client</a>.</p> <h3> Usage </h3> <p>Here's a very basic usage of <code>httptest.NewServer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">server</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">req</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprint</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"OK"</span><span class="p">)</span> <span class="p">}))</span> <span class="k">defer</span> <span class="n">server</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> </code></pre> </div> <p>In the code above, <code>server.URL</code> can be used to connect to the server. For example, we could pass it to the following <code>pingService</code> func to test it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">pingService</span><span class="p">(</span><span class="n">url</span> <span class="kt">string</span><span class="p">)</span> <span class="n">ServiceStatus</span> <span class="p">{</span> <span class="c">// TODO: make sure url is actually a valid URL</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="c">// expecting the HTTP client to err out if the service is down</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// TODO: add TestURL to the log</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"[%s], is DOWN"</span><span class="p">,</span> <span class="n">url</span><span class="p">)</span> <span class="k">return</span> <span class="n">ServiceDown</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> A more complete example </h3> <p>Following is a more complete example of <code>pingService</code> and its tests:</p> <h4> <code>pingService()</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// ServiceStatus indicates the status of a service i.e "UP", "FAILING", "DOWN"</span> <span class="k">type</span> <span class="n">ServiceStatus</span> <span class="kt">string</span> <span class="k">const</span> <span class="p">(</span> <span class="n">ServiceUP</span> <span class="o">=</span> <span class="n">ServiceStatus</span><span class="p">(</span><span class="s">"UP"</span><span class="p">)</span> <span class="n">ServiceDown</span> <span class="o">=</span> <span class="n">ServiceStatus</span><span class="p">(</span><span class="s">"DOWN"</span><span class="p">)</span> <span class="n">ServiceFailing</span> <span class="o">=</span> <span class="n">ServiceStatus</span><span class="p">(</span><span class="s">"FAILING"</span><span class="p">)</span> <span class="p">)</span> <span class="k">func</span> <span class="n">pingService</span><span class="p">(</span><span class="n">server</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">)</span> <span class="n">ServiceStatus</span> <span class="p">{</span> <span class="c">// TODO: make sure server.URL is actually a valid URL</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">server</span><span class="o">.</span><span class="n">URL</span><span class="p">)</span> <span class="c">// expecting the HTTP client to err out if the service is down</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// TODO: add TestURL to the log</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"[%s], is DOWN"</span><span class="p">,</span> <span class="n">server</span><span class="o">.</span><span class="n">URL</span><span class="p">)</span> <span class="k">return</span> <span class="n">ServiceDown</span> <span class="p">}</span> <span class="k">if</span> <span class="n">res</span><span class="o">.</span><span class="n">StatusCode</span> <span class="o">&gt;=</span> <span class="m">200</span> <span class="o">&amp;&amp;</span> <span class="n">res</span><span class="o">.</span><span class="n">StatusCode</span> <span class="o">&lt;=</span> <span class="m">500</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Infof</span><span class="p">(</span><span class="s">"[%s], is UP"</span><span class="p">,</span> <span class="n">server</span><span class="o">.</span><span class="n">URL</span><span class="p">)</span> <span class="k">return</span> <span class="n">ServiceUP</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"[%s], is FAILING"</span><span class="p">,</span> <span class="n">server</span><span class="o">.</span><span class="n">URL</span><span class="p">)</span> <span class="k">return</span> <span class="n">ServiceFailing</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Testing <code>pingService()</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// TestStatusDown tests pinging a non running HTTP service</span> <span class="k">func</span> <span class="n">TestStatusDown</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">ss</span> <span class="o">:=</span> <span class="n">pingService</span><span class="p">(</span><span class="n">exampleTestService</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">ServiceDown</span><span class="p">,</span> <span class="n">ss</span><span class="p">)</span> <span class="p">}</span> <span class="c">// TestStatusUP tests a running HTTP service</span> <span class="k">func</span> <span class="n">TestStatusUP</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">sv</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">req</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprint</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"OK"</span><span class="p">)</span> <span class="p">}))</span> <span class="k">defer</span> <span class="n">sv</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">ss</span> <span class="o">:=</span> <span class="n">pingService</span><span class="p">(</span><span class="n">sv</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">ServiceUP</span><span class="p">,</span> <span class="n">ss</span><span class="p">)</span> <span class="p">}</span> <span class="c">// TestStatusFailing tests a failing HTTP service</span> <span class="k">func</span> <span class="n">TestStatusFailing</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">sv</span> <span class="o">:=</span> <span class="n">httptest</span><span class="o">.</span><span class="n">NewServer</span><span class="p">(</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">req</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="p">}))</span> <span class="k">defer</span> <span class="n">sv</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">ss</span> <span class="o">:=</span> <span class="n">pingService</span><span class="p">(</span><span class="n">sv</span><span class="p">)</span> <span class="n">require</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">ServiceFailing</span><span class="p">,</span> <span class="n">ss</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Further Resources: </h3> <ul> <li><a href="https://golang.org/pkg/net/http/httptest/#Server">golang.org/pkg/net/http/httptest/#Server</a></li> <li><a href="http://hassansin.github.io/Unit-Testing-http-client-in-Go">Unit Testing http client in Go</a></li> </ul> go testing http Muaaz Saleem Sun, 17 Jan 2021 17:29:46 +0000 https://forem.com/muaazsaleem/the-three-main-flavors-of-kubernetes-related-engineering-roles-d0j https://forem.com/muaazsaleem/the-three-main-flavors-of-kubernetes-related-engineering-roles-d0j <p>As Kubernetes continues to gain traction, Kubernetes related oppurtunities continue to grow as well. That's great! But while most Kubernetes related engineering roles are pretty similar to each other, in my observation, there seem to be important differences between them as well. </p> <p>Here, I just want to capture the three main flavours Kubernetes related Engineering roles I've noticed and their pros and cons. </p> <h3> Site Reliability Engineer </h3> <p>Also known as DeveOps Engineer or Cloud Engineer, the Site Reliability Engineer role is the most common of the three we'll talk about today. The distinguishing sign of the role is that you're responsible for (a) production Kubernetes cluster(s) and your team is primarily measured by it's reliabilty, cost effectiveness and utility.</p> <p>Google has written a lot about the role and different companies abide by that description to various degrees. <em>This is also the only role of the three, that I have personal experience with.</em></p> <h4> Pros </h4> <ul> <li>Hands-on Experience operating (a) Kubernetes cluster(s) i.e <ul> <li>Lots of Production Insights to share with the rest of the community</li> </ul> </li> <li>Incentive to influence the Cloud Native Community to solve important problems together</li> <li>Lots of fun for folks who enjoy learning new things all the time</li> <li> <em>Lots of opportunities</em> with the growing no. of businesses adopting Kubernetes</li> </ul> <h4> Cons </h4> <ul> <li>Time &amp; Focus are divided between programming, operations &amp; communication. Ergo: <ul> <li>Limited chances to role the dice on long term software projects</li> </ul> </li> <li>Wide scope of respobsibility i.e: <ul> <li>The whole cluster rather than just Ingress, although possible in a big enough team </li> </ul> </li> <li>Shifting respobsibilities as Cloud vendor capabilities grow/change</li> <li>Employer may not have the bandwidth/budget for significant community participation</li> </ul> <h3> Software Engineer ( Kubernetes ) </h3> <p>If you've ever wondered who maintains, the Kubernetes Core or important plugins like CoreDNS, it's Kubernetes Software Engineers. I'm making up the title but the work is real i.e. Software Engineers improving or extending the Cloud Native ecosystem.</p> <p>This role predominantly exists with vendors with a vested interest in Kubernetes like Cloud vendors or Services companies. Google, for example, has a whole team dedicated to maintaining the Cluster, Horizontal &amp; Vertical Pod Autoscalers.</p> <h4> Pros </h4> <ul> <li>Focus on Software Engineering Skills</li> <li>Potential to learn the internals of various technologies e.g. Prometheus, Docker, Flagger and share with the community</li> <li>Opportunity/Incentive to represent customer use cases in the larger Cloud Native Community</li> </ul> <h4> Cons </h4> <ul> <li>No quick “production” feedback like in SRE </li> <li>Limited Experience operating a kubernetes cluster</li> <li>Reletaively fewer oppurtunities in the community, but still lots of them! </li> </ul> <h3> Developer Advocate </h3> <p>While vendors might hire Software Engineers to help improve their Kubernetes offerings, they might hire Engineers to better understand the community's needs and help guide the product strategy. That's the Developer Advocate role and there's a growing no. of them in the Cloud Native Community.</p> <p>If you're not familiar with the role, there's a great <a href="https://dev.to/di/developer-advocacy-frequently-asked-questions-577k">FAQ by Dustin Ingram</a>.</p> <h4> Pros </h4> <ul> <li>Great opportunity to <a href="https://www.swyx.io/learn-in-public/">learn in public</a> <ul> <li>Work on skills such as giving talks, Videography, Writing Blogposts</li> <li>A very visible position, great opportunity to create a public profile</li> </ul> </li> <li>Incentive/Oppurtunity to create significantly useful resources for the community: <ul> <li>Writing books and etc.</li> <li>Creating or maintaining to important open source projects</li> </ul> </li> <li>The chance to explore "what’s possible with Kubernetes”: <ul> <li>Creating lots of “demo” apps to show what's possible with Kubernetes</li> <li>Being "user zero" for new products or features </li> </ul> </li> <li>Great opportunity to be valued as an engineer for strengths in: <ul> <li>Communication</li> <li>Stakeholder management</li> <li>Product leadership</li> </ul> </li> </ul> <h4> Cons </h4> <ul> <li>Far fewer oppurtunities than a SRE or SWE roles</li> <li>Role not well defined and may change significantly between companies <ul> <li>Evangelism vs. Advocate</li> <li>Report to marketing vs. director of engineering</li> <li>May require lots of travel</li> </ul> </li> <li>Difficult to distinguish between work and hobby projects</li> <li>Not clear what the employers' non-compete for the role look like: <ul> <li>If you write a book, create a youtube channel does the employer need to sign off?</li> </ul> </li> <li>Almost no first hand production experience in the role</li> <li>Hard to measure your impact: <ul> <li>makes it hard to know what's worth working on</li> <li>makes it hard to prove that you're doing a good job</li> </ul> </li> </ul> <h3> Parting Words </h3> <p>All three roles seem to have a lot to offer and like flavours of an ice cream, they can be mixed and matched. Software Engineers give talks and Site Reliability Engineers write plenty of software. Folks might also be able to move between these roles easily enough.</p> <p>I hope others find this list as helpful as I did. If you feel like I've missed an important aspect of these or would like to share other kinds of engineering roles you've seen in the Cloud Native community, I'd love to hear from you!</p> kubernetes career Muaaz Saleem Sun, 17 Jan 2021 17:23:46 +0000 https://forem.com/muaazsaleem/making-the-validatingwebhook-testable-4ao3 https://forem.com/muaazsaleem/making-the-validatingwebhook-testable-4ao3 <p>In my <a href="https://www.learningkubeonaws.com/blog/validating-admission-requests-with-a-validating-admission-webhook">last post</a> we saw that admitting objects in a ValidatigAdmissionWebhook can be expressed as a pure function i.e.,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="o">*</span><span class="n">AdmissionResponse</span> </code></pre> </div> <p>This time, I'd like to argue that abstracting the <code>Admit</code> func into an <code>Admitter</code> interface can help us make the webhook code more testable.</p> <h3> Testing the <code>Admit</code> func </h3> <p>A little aside before getting to the <code>Admitter</code> interface, an additional benefit of wrapping our admission logic in an <code>Admit</code> func, this way, is that it makes it really easy to write a test for it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestAdmit</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// setup req and expected resp</span> <span class="n">admResp</span> <span class="o">:=</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">expectedAdmResp</span><span class="p">,</span> <span class="n">admResp</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> The <code>Admitter</code> Interface </h3> <p>So our admission logic can now be tesed but what about the HTTP machinery, there's some hairy encoding/decoding logic in our <code>Handler</code> func, so being able to test would be really comforting. That's where the <code>Admitter</code> interface comes in!</p> <p>Here's the <code>Admit</code> func again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="o">*</span><span class="n">AdmissionResponse</span> </code></pre> </div> <p>And here's what the <code>Admitter</code> interface could look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Admitter</span> <span class="k">interface</span> <span class="p">{</span> <span class="c">// Name() is helpful for logging and metrics</span> <span class="n">Name</span><span class="p">()</span> <span class="kt">string</span> <span class="c">// Admit() is where the pure admission logic lives</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Our <code>Handler</code> func is going to change just as well to accomodate. The <code>Handler</code> func originally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Handler</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(){</span> <span class="c">// read req</span> <span class="n">validate</span><span class="p">()</span> <span class="c">// write resp</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And we call it like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/deployments"</span><span class="p">,</span> <span class="n">admission</span><span class="o">.</span><span class="n">Handler</span><span class="p">())</span> </code></pre> </div> <p>The <code>Handler</code> func now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Handler</span><span class="p">(</span><span class="n">admitter</span> <span class="n">Admitter</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(){</span> <span class="c">// read req</span> <span class="n">admitter</span><span class="o">.</span><span class="n">Admit</span><span class="p">()</span> <span class="c">// write resp</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Calling the <code>Handler</code> func would now look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// DeploymentAdmitter implements the Admitter interface</span> <span class="n">depAdmitter</span> <span class="o">:=</span> <span class="n">admission</span><span class="o">.</span><span class="n">DeploymentAdmitter</span><span class="p">{}</span> <span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/deployments"</span><span class="p">,</span> <span class="n">admission</span><span class="o">.</span><span class="n">Handler</span><span class="p">(</span><span class="n">depAdmitter</span><span class="p">))</span> </code></pre> </div> <h3> Implementing the Admitter Interface </h3> <p>As the last section hinted, each resource that the webhook must validate can just implement the <code>Admitter</code> interface. For example, here's the <code>DeploymentAdmitter</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">DeploymentAdmitter</span> <span class="k">struct</span> <span class="p">{</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">d</span> <span class="n">DeploymentAdmitter</span><span class="p">)</span> <span class="n">Name</span><span class="p">()</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">return</span> <span class="s">"deployments"</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">d</span> <span class="n">DeploymentAdmitter</span><span class="p">)</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// deny if `application` label is missing </span> <span class="p">}</span> </code></pre> </div> <p>And guess what, we can just implement the <code>Admitter</code> interface in our tests to test the <code>Handler</code>. So cool, right!</p> <p>Here's an example <code>testAdmitter</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">testAdmitter</span> <span class="k">struct</span> <span class="p">{</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">t</span> <span class="n">TestAdmitter</span><span class="p">)</span> <span class="n">Name</span><span class="p">()</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">return</span> <span class="s">"testAdmitter"</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">t</span> <span class="n">testAdmitter</span><span class="p">)</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// allow/deny objects depending on the test </span> <span class="p">}</span> </code></pre> </div> <h3> Testing the <code>Handler</code> </h3> <p>At last, with the actual validation logic abstracted away, testing the <code>Handler</code> is really just as simple as calling the handler with a test request and the <code>testAdmitter</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestHandler</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// setup AdmissionReview.Request and expected AdmissionReview.Response objects</span> <span class="n">adm</span> <span class="o">=</span> <span class="n">testAdmitter</span><span class="p">{}</span> <span class="n">Handler</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">resp</span><span class="p">)</span> <span class="c">// Test that </span> <span class="c">// 1. when an object should be allowed Handler allows it</span> <span class="c">// 2. when an object should be denied Handler denys it</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">expectedResp</span><span class="p">,</span> <span class="n">resp</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Thanks to the <code>Admitter</code> interface, we can now test <a href="https://www.learningkubeonaws.com/blog/the-2-main-parts-of-a-kubernetes-validating-admission-webhook">parsing the admission requests</a> and <a href="https://www.learningkubeonaws.com/blog/parsing-admission-requests-in-a-validating-admission-webhook">validating them</a>!</p> <h3> Further Resources </h3> <p>This series is based on my experience adding a <code>ValidatingAdmissionWebhook</code> to <a href="https://github.com/zalando/skipper">Skipper</a>, modern HTTP proxy.</p> <blockquote> <p><strong>Note:</strong> While the series uses validating <code>Deployments</code> as an example, the webhook in Skipper validates <code>RouteGroups</code> a <a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/">Custom Resource</a> used in Skipper. Hope that's not too confusing!</p> </blockquote> <ul> <li><p>You can find the complete source code for the <code>ValidatigAdmissionWebhook</code> <a href="https://github.com/zalando/skipper/tree/master/cmd/webhook">here</a></p></li> <li><p>Specifically, the tests can be found in <a href="https://github.com/zalando/skipper/blob/master/cmd/webhook/admission/admission_test.go"><code>admission_test.go</code></a> </p></li> </ul> kubernetes go Muaaz Saleem Sun, 17 Jan 2021 17:19:14 +0000 https://forem.com/muaazsaleem/making-the-validatingwebhook-testable-15h https://forem.com/muaazsaleem/making-the-validatingwebhook-testable-15h <p>Last time, I talked about <a href="https://www.learningkubeonaws.com/blog/parsing-admission-requests-in-a-validating-admission-webhook">Parsing Admission Requests in a Validating Admission Webhook</a>. This time I wanna talk about actually validating the admission requests i.e allowing or rejecting new or updated resources.</p> <p>We learned how to parse a Validation Request in an <code>AdmissionReview.Request</code> Object and serialize (encode) a Validation Response from an <code>AdmissionReview.Response</code> Object.</p> <p>Now that we know how to parse the HTTP requests, a validating admission webhook is just a go <code>func</code> of the signature:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">validate</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="o">*</span><span class="n">AdmissionResponse</span> </code></pre> </div> <p>Another way to phrase validating an Object is "Admitting an Object". In which case the signature above becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="o">*</span><span class="n">AdmissionResponse</span> </code></pre> </div> <h3> Parsing the Object </h3> <p>The first thing to do in the <code>Admit</code> func is to parse the Object we're hoping to validate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Object</span><span class="o">.</span><span class="n">Raw</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">admittedObj</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>In the example above, I am reading the <a href="https://opensource.zalando.com/skipper/kubernetes/routegroups/">RouteGroup</a> from <code>AdmissionReview.Request.Object.Raw</code>. Note that you could also deserialize the object from <code>AdmissionReview.Request.Object</code>, I hope to cover that in some other post.</p> <h3> Validating the Object </h3> <p>This is where we finally decide whether an Object is good enough to allow or not. The specific logic will depend on what you want to achieve but as an example suppose our <code>admittedObj</code> above was a <code>deployment</code> and we only wanted to allow it if it had an <code>application</code> label.</p> <p>The validation would look something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">err</span> <span class="o">=</span> <span class="n">checkAppLabel</span><span class="p">(</span><span class="o">&amp;</span><span class="n">deployment</span><span class="o">.</span><span class="n">Spec</span><span class="o">.</span><span class="n">Template</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// ..</span> <span class="p">}</span> </code></pre> </div> <p>Here's <code>checkAppLabel</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="n">corev1</span> <span class="s">"k8s.io/api/core/v1"</span> <span class="p">)</span> <span class="k">var</span> <span class="p">(</span> <span class="n">errNoApplicationLabel</span> <span class="o">=</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span> <span class="s">"missing application label in pod template"</span><span class="p">,</span> <span class="p">)</span> <span class="p">)</span> <span class="k">func</span> <span class="n">checkAppLabel</span><span class="p">(</span><span class="n">podSpec</span> <span class="o">*</span><span class="n">corev1</span><span class="o">.</span><span class="n">PodTemplateSpec</span><span class="p">)</span> <span class="n">application</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">podSpec</span><span class="o">.</span><span class="n">Labels</span><span class="p">[</span><span class="s">"application"</span><span class="p">]</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="n">errNoApplicationLabel</span> <span class="p">}</span> <span class="k">return</span> <span class="n">registry</span><span class="o">.</span><span class="n">CheckApplication</span><span class="p">(</span><span class="n">application</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>So cool, right!</p> <h3> Rejecting an Object </h3> <p>Rejecting an Object is just a matter of filling out the <code>AdmissionResponse</code> object with <code>Allowed: false</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">emsg</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"the object was no good, cuz: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">emsg</span><span class="p">)</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="c">// The UID is needed to identify which request </span> <span class="c">// you are responsing to</span> <span class="n">UID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Result</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">metav1</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="c">// The Message is helpful to the users to figure out </span> <span class="c">// what's they did wrong!</span> <span class="n">Message</span><span class="o">:</span> <span class="n">emsg</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Allowing an Object </h3> <p>At this point, allowing in object is pretty simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">},</span> <span class="no">nil</span> </code></pre> </div> <p>That's all! You can find a complete example of an <code>Admit</code> func from the Validating Admission Webhook in <a href="https://github.com/zalando/skipper/blob/master/cmd/webhook/admission/admission.go#L75">Skipper</a>. I've also included an abridged version at the end of this blog post.</p> <p>Admission Webhooks are the Swiss Army Knife of a Kubernetes Operator. Once you know how to write one, they can be an easy way to programmatically enforce internal policies cluster wide.</p> <h3> Further Resources </h3> <p>If you'd like to learn more on the topic:</p> <ul> <li>Banzi Cloud has a <a href="https://dev.toevernote:///view/216723888/s393/af633578-8b03-475f-8bad-2bb64efa7bf9/af633578-8b03-475f-8bad-2bb64efa7bf9/">great guide on admission controllers</a>.</li> <li><p>There's also the <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/">Dynamic Admission Control</a> guide in the <a href="https://kubernetes.io/docs/home/">Kubernetes docs</a>.</p></li> <li><p>You can find the definitions of the <code>AdmissionReview</code> object in <a href="https://github.com/kubernetes/api/blob/c59710ee51e70325197298cd6243d32f1aa85df0/admission/v1/types.go#L40">k8s.io/api</a> repository.</p></li> </ul> <p>I also like to look at the Kubernetes API reference. You can find the <code>ValidatingAdmissionConfiguration</code> spec <a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io">there</a>.</p> <h3> Reference </h3> <p>An example <code>Admit</code> func from the Validating Admission Webhook in <a href="https://github.com/zalando/skipper/blob/master/cmd/webhook/admission/admission.go#L75">Skipper</a> for <a href="https://opensource.zalando.com/skipper/kubernetes/routegroups/">RouteGroups</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Admit</span><span class="p">(</span><span class="n">req</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">rgItem</span> <span class="o">:=</span> <span class="n">definitions</span><span class="o">.</span><span class="n">RouteGroupItem</span><span class="p">{}</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Object</span><span class="o">.</span><span class="n">Raw</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">rgItem</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">emsg</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"could not parse RouteGroup, %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">emsg</span><span class="p">)</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Result</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">metav1</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="n">Message</span><span class="o">:</span> <span class="n">emsg</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">definitions</span><span class="o">.</span><span class="n">ValidateRouteGroup</span><span class="p">(</span><span class="o">&amp;</span><span class="n">rgItem</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">emsg</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"could not validate RouteGroup, %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">log</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">emsg</span><span class="p">)</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Result</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">metav1</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="n">Message</span><span class="o">:</span> <span class="n">emsg</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> kubernetes go Muaaz Saleem Sun, 17 Jan 2021 16:27:09 +0000 https://forem.com/muaazsaleem/parsing-admission-requests-in-a-validating-admission-webhook-371b https://forem.com/muaazsaleem/parsing-admission-requests-in-a-validating-admission-webhook-371b <p>Last time I introduced <a href="https://www.learningkubeonaws.com/blog/the-2-main-parts-of-a-kubernetes-validating-admission-webhook">the 2 main parts of a Validating Admission Webhook</a>. The Webserver and the <code>ValidatingAdmissionWebhookConfiguration</code>. </p> <p>This time I'll expand a bit on the Webserver. Specifically, parsing Admission Requests in a Validating Admission Webhook.</p> <h4> The HTTP Handler </h4> <p>The webserver just needs a <code>POST</code> endpoint, where the API Server can post Admission Requests to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/routegroups"</span><span class="p">,</span> <span class="n">admission</span><span class="o">.</span><span class="n">Handler</span><span class="p">())</span> </code></pre> </div> <p><code>admission.Handler</code> is just a go <code>func</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Handler</span><span class="p">()</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// ...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Having a function that <em>returns</em> a <code>http.HandlerFunc</code> is helpful because this way I can also parameterize <code>admission.Handler</code> for each resource I want to validate e.g:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">handler</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/deployments"</span><span class="p">,</span> <span class="n">admission</span><span class="o">.</span><span class="n">Handler</span><span class="p">(</span><span class="s">"deployments"</span><span class="p">))</span> </code></pre> </div> <p>More on this in a future blog post.</p> <h3> Parsing an Admission Request </h3> <p>Admission requests are just HTTP <code>Post</code> requests with a <code>JSON</code> body of the form:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"apiVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admission.k8s.io/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AdmissionReview"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Therefore, we can just use <code>json.Unmarshal</code> to decode them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="n">admissionsv1</span> <span class="s">"k8s.io/api/admission/v1"</span> <span class="p">)</span> <span class="c">// ...</span> <span class="n">review</span> <span class="o">:=</span> <span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">review</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Failed to parse request: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> </code></pre> </div> <p>Note how I am just using the upstream <code>AdmissionReview</code> type from <a href="https://github.com/kubernetes/api/tree/master/admission/v1">k8s.io/api/admission/v1</a> here. You can find other Kubernetes types in the <a href="https://github.com/kubernetes/api">k8s.io/api</a> repo as well.</p> <h3> Responding to an Admission Request i.e encoding <code>Admission.Response</code> </h3> <p>Encoding is just a <code>json.Marshal</code> as well.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import ( // ... metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) resp, err := json.Marshal(admissionsv1.AdmissionReview{ TypeMeta: metav1.TypeMeta{ Kind: "AdmissionReview", APIVersion: "admission.k8s.io/v1", }, Response: response, }) </code></pre> </div> <p>There are a couple important things to keep in mind here.</p> <p><strong>The response <code>UID</code> must match the request</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">response</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">UID</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">review</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p>Otherwise, the API Server won't know which admission request my response belongs to.</p> <p><strong>The <code>TypeMeta</code> fields must be present in the response</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{</span> <span class="n">TypeMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span><span class="p">{</span> <span class="n">Kind</span><span class="o">:</span> <span class="s">"AdmissionReview"</span><span class="p">,</span> <span class="n">APIVersion</span><span class="o">:</span> <span class="s">"admission.k8s.io/v1"</span><span class="p">,</span> <span class="p">},</span> <span class="n">Response</span><span class="o">:</span> <span class="n">response</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>I learnt this the hard way. If the <code>Kind</code> and <code>APIVersion</code> aren't specified for <code>v1</code> resources i.e <code>v1.AdmissionReview</code>, <a href="https://github.com/kubernetes/kubernetes/blob/518b826b1dcc4852226300ae08110cba03a078c9/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/request/admissionreview.go#L58">the Admission requests will just fail</a>.</p> <h4> Util Funcs </h4> <p>I found it useful to have <code>writeResponse</code> and <code>errorResponse</code> functions.</p> <p><strong>Writing Response</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="c">// ...</span> <span class="n">metav1</span> <span class="s">"k8s.io/apimachinery/pkg/apis/meta/v1"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">writeResponse</span><span class="p">(</span> <span class="n">writer</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">response</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{</span> <span class="n">TypeMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span><span class="p">{</span> <span class="n">Kind</span><span class="o">:</span> <span class="s">"AdmissionReview"</span><span class="p">,</span> <span class="n">APIVersion</span><span class="o">:</span> <span class="s">"admission.k8s.io/v1"</span><span class="p">,</span> <span class="p">},</span> <span class="n">Response</span><span class="o">:</span> <span class="n">response</span><span class="p">,</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to serialize response: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">writer</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">writer</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to write response: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Writing errors</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="c">// ...</span> <span class="s">"k8s.io/apimachinery/pkg/types"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">errorResponse</span><span class="p">(</span><span class="n">uid</span> <span class="n">types</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">UID</span><span class="o">:</span> <span class="n">uid</span><span class="p">,</span> <span class="n">Result</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">metav1</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="n">Message</span><span class="o">:</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>When I started writing a validating admission webhook for the first <br> time, I was very confused about the various moving parts. Hopefully this post shows that in essence, a validating admission webhook is just a go webserver.</p> <h3> Further Resources </h3> <p>You can find an abridged version of <code>admission.Handler</code> under "Reference". For a complete example of a validating admission webhook being used in production, checkout the <a href="https://github.com/zalando/skipper/tree/v0.11.175/cmd/webhook">validating admission webhook</a> in <a href="https://github.com/zalando/skipper">Skipper</a>, our HTTP reverse proxy.</p> <ul> <li><a href="https://github.com/zalando/skipper/blob/v0.11.175/cmd/webhook/admission/admission.go#L109"><code>admission.Handler</code></a></li> <li><a href="https://github.com/zalando/skipper/blob/v0.11.175/cmd/webhook/admission/admission.go#L179"><code>writeResponse</code></a></li> <li><a href="https://github.com/zalando/skipper/blob/v0.11.175/cmd/webhook/admission/admission.go#L197"><code>errorResponse</code></a></li> </ul> <blockquote> <p>Thanks to my teammates <a href="https://twitter.com/arpad_ryszka">Arpad</a> &amp; <a href="https://twitter.com/sszuecs">Sandor</a> for helping me contribute a validating admission webhook to Skipper! </p> </blockquote> <h3> Reference </h3> <p>The following is just an abridged version of <a href="https://github.com/zalando/skipper/blob/v0.11.175/cmd/webhook/admission/admission.go"><code>admission.go</code></a> from the <a href="https://github.com/zalando/skipper/tree/v0.11.175/cmd/webhook">validating admission webhook</a> in <a href="https://github.com/zalando/skipper">Skipper</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">admission</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"fmt"</span> <span class="s">"io/ioutil"</span> <span class="s">"net/http"</span> <span class="s">"time"</span> <span class="n">log</span> <span class="s">"github.com/sirupsen/logrus"</span> <span class="s">"github.com/zalando/skipper/dataclients/kubernetes/definitions"</span> <span class="n">admissionsv1</span> <span class="s">"k8s.io/api/admission/v1"</span> <span class="n">metav1</span> <span class="s">"k8s.io/apimachinery/pkg/apis/meta/v1"</span> <span class="s">"k8s.io/apimachinery/pkg/types"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">Handler</span><span class="p">(</span><span class="n">admitter</span> <span class="n">Admitter</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">admitterName</span> <span class="o">:=</span> <span class="n">admitter</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">!=</span> <span class="s">"POST"</span> <span class="o">||</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">)</span> <span class="o">!=</span> <span class="s">"application/json"</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusMethodNotAllowed</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">body</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">ioutil</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Failed to read request: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">log</span><span class="o">.</span><span class="n">Debugln</span><span class="p">(</span><span class="s">"request received"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="n">review</span> <span class="o">:=</span> <span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">review</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Failed to parse request: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">operationInfo</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span> <span class="s">"%s %s %s/%s"</span><span class="p">,</span> <span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">Operation</span><span class="p">,</span> <span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">Kind</span><span class="p">,</span> <span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">Namespace</span><span class="p">,</span> <span class="n">extractName</span><span class="p">(</span><span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="p">),</span> <span class="p">)</span> <span class="n">gvr</span> <span class="o">:=</span> <span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">Resource</span> <span class="n">group</span> <span class="o">:=</span> <span class="n">gvr</span><span class="o">.</span><span class="n">Group</span> <span class="k">if</span> <span class="n">group</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">group</span> <span class="o">=</span> <span class="s">"zalando.org"</span> <span class="p">}</span> <span class="n">start</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="k">defer</span> <span class="n">admissionDuration</span><span class="o">.</span><span class="n">With</span><span class="p">(</span><span class="n">labelValues</span><span class="p">)</span><span class="o">.</span> <span class="n">Observe</span><span class="p">(</span><span class="kt">float64</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">start</span><span class="p">))</span> <span class="o">/</span> <span class="kt">float64</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">))</span> <span class="n">admResp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">admitter</span><span class="o">.</span><span class="n">Admit</span><span class="p">(</span><span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"Rejected %s: %v"</span><span class="p">,</span> <span class="n">operationInfo</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">writeResponse</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">errorResponse</span><span class="p">(</span><span class="n">review</span><span class="o">.</span><span class="n">Request</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">err</span><span class="p">))</span> <span class="k">return</span> <span class="p">}</span> <span class="n">log</span><span class="o">.</span><span class="n">Debugf</span><span class="p">(</span><span class="s">"Allowed %s"</span><span class="p">,</span> <span class="n">operationInfo</span><span class="p">)</span> <span class="n">writeResponse</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">admResp</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">writeResponse</span><span class="p">(</span><span class="n">writer</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">response</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">)</span> <span class="p">{</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionReview</span><span class="p">{</span> <span class="n">TypeMeta</span><span class="o">:</span> <span class="n">metav1</span><span class="o">.</span><span class="n">TypeMeta</span><span class="p">{</span> <span class="n">Kind</span><span class="o">:</span> <span class="s">"AdmissionReview"</span><span class="p">,</span> <span class="n">APIVersion</span><span class="o">:</span> <span class="s">"admission.k8s.io/v1"</span><span class="p">,</span> <span class="p">},</span> <span class="n">Response</span><span class="o">:</span> <span class="n">response</span><span class="p">,</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to serialize response: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">writer</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">writer</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">resp</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to write response: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">errorResponse</span><span class="p">(</span><span class="n">uid</span> <span class="n">types</span><span class="o">.</span><span class="n">UID</span><span class="p">,</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionResponse</span><span class="p">{</span> <span class="n">Allowed</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">UID</span><span class="o">:</span> <span class="n">uid</span><span class="p">,</span> <span class="n">Result</span><span class="o">:</span> <span class="o">&amp;</span><span class="n">metav1</span><span class="o">.</span><span class="n">Status</span><span class="p">{</span> <span class="n">Message</span><span class="o">:</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">extractName</span><span class="p">(</span><span class="n">request</span> <span class="o">*</span><span class="n">admissionsv1</span><span class="o">.</span><span class="n">AdmissionRequest</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">Name</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">request</span><span class="o">.</span><span class="n">Name</span> <span class="p">}</span> <span class="n">obj</span> <span class="o">:=</span> <span class="n">metav1</span><span class="o">.</span><span class="n">PartialObjectMetadata</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">Object</span><span class="o">.</span><span class="n">Raw</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">obj</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Warnf</span><span class="p">(</span><span class="s">"failed to parse object: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="s">"&lt;unknown&gt;"</span> <span class="p">}</span> <span class="k">if</span> <span class="n">obj</span><span class="o">.</span><span class="n">Name</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">obj</span><span class="o">.</span><span class="n">Name</span> <span class="p">}</span> <span class="k">if</span> <span class="n">obj</span><span class="o">.</span><span class="n">GenerateName</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">obj</span><span class="o">.</span><span class="n">GenerateName</span> <span class="o">+</span> <span class="s">"&lt;generated&gt;"</span> <span class="p">}</span> <span class="k">return</span> <span class="s">"&lt;unknown&gt;"</span> <span class="p">}</span> </code></pre> </div> kubernetes go Muaaz Saleem Fri, 06 Nov 2020 11:32:51 +0000 https://forem.com/muaazsaleem/the-2-main-parts-of-a-kubernetes-validating-admission-webhook-11ga https://forem.com/muaazsaleem/the-2-main-parts-of-a-kubernetes-validating-admission-webhook-11ga <h2> Validating Admission Webhooks </h2> <p>Validating Admission Webhooks can be used to intercept requests to the API Server and validate new and updating resources. For example, you could have a Validating Admission Webhook that keeps new <code>Deployment</code> objects from being created if they're missing an <code>application</code> label. You could also keep certain resources from being updated.</p> <ul> <li>A Validating Admission Webhook has 2 main parts: <ul> <li>A Webhook Server</li> <li>A <code>ValidatingAdmissionWebhookConfiguration</code><a href="//./1603316619167.png">resource</a> </li> </ul> </li> </ul> <blockquote> <p>Note: The code examples and a couple passages in this post are borrowed from the <a href="https://github.com/kubernetes/api/blob/c59710ee51e70325197298cd6243d32f1aa85df0/admission/v1/types.go#L33" rel="noopener noreferrer">Dynamic Admission Control</a> reference. Shared under the <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/" rel="noopener noreferrer">Creative Commons Attribution 4.0 International</a> Lisence.</p> </blockquote> <h2> The Webhook Server </h2> <p>The webhook server is just a webserver that handles "validation" requests from the API server. </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7xli7795fe2ayecwlgh8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7xli7795fe2ayecwlgh8.png" alt="Alt Text" width="800" height="600"></a></p> <p>These requests are regarding specific resource types and object changes. For example, creation of a Deployment resource. This is specified in the <code>ValidatingAdmissionWebhook</code> for the admission webhook.</p> <p>The webserver communicates with the API Server over HTTPs (<code>TLS</code>) and therefore requires a TLS cert and key pair.</p> <h3> Requests </h3> <p>Webhook Servers a.k.a webhooks, are sent a <code>POST</code> request, with <code>Content-Type: application/json</code>, with an <code>AdmissionReview.Request</code> <a href="https://github.com/kubernetes/api/blob/c59710ee51e70325197298cd6243d32f1aa85df0/admission/v1/types.go#L33" rel="noopener noreferrer">API object</a> in the <code>admission.k8s.io</code> API group serialized to <code>JSON</code> as the body.</p> <p>This example shows the <em>abridged</em> data contained in an <code>AdmissionReview</code> object for a request to update the scale subresource of an <code>apps/v1 Deployment</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "apiVersion": "admission.k8s.io/v1", "kind": "AdmissionReview", "request": { # Random uid uniquely identifying this admission call "uid": "705ab4f5-6393-11e8-b7cc-42010a800002", # Name of the resource being modified "name": "my-deployment", # Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object) "namespace": "my-namespace", # operation can be CREATE, UPDATE, DELETE, or CONNECT "operation": "UPDATE", # object is the new object being admitted. # It is null for DELETE operations. "object": {"apiVersion":"autoscaling/v1","kind":"Scale",...}, # oldObject is the existing object. # It is null for CREATE and CONNECT operations. "oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...}, # dryRun indicates the API request is running in dry run mode and will not be persisted. # Webhooks with side effects should avoid actuating those side effects when dryRun is true. # See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details. } } </code></pre> </div> <h3> Response </h3> <p>The webhook server responds with a <code>200</code> HTTP status code, <code>Content-Type: application/json</code>, and a <code>body</code> containing an <code>AdmissionReview.Response</code> object (in the same version they were sent), with the response stanza populated, serialized to <code>JSON</code>. At a minimum, the response stanza must contain the following fields:</p> <ul> <li> <code>uid</code>, copied from the <code>request.uid</code> sent to the webhook</li> <li>allowed, either set to <code>true</code> or <code>false</code> </li> </ul> <p>Example of a minimal response from a webhook to allow a request:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "apiVersion": "admission.k8s.io/v1", "kind": "AdmissionReview", "response": { "uid": "&lt;value from request.uid&gt;", "allowed": true } } </code></pre> </div> <p>Example of a response to forbid a request, customizing the HTTP status code and message:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{<br> "apiVersion": "admission.k8s.io/v1",<br> "kind": "AdmissionReview",<br> "response": {<br> "uid": "&lt;value from request.uid&gt;",<br> "allowed": false,<br> "status": {<br> "code": 403,<br> "message": "You cannot do this because it is Tuesday and your name starts with A"<br> }<br> }<br> }<br> </code></pre> </div> <h2> <br> <br> <br> ValidatingWebhookConfiguration<br> </h2> <p>The <code>ValidatingAdmissionWebhookConfiguration</code> specifies what object type and request methods should the webserver be called on. The <code>Configuration</code> resource also specifies the TLS <code>caBundle</code> the API server should use to connect with the webserver.</p> <p>An example <code>ValidatingWebhookConfiguration</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: admissionregistration.k8s.io/v1<br> kind: ValidatingWebhookConfiguration<br> metadata:<br> name: "pod-policy.example.com"<br> webhooks: <ul> <li>name: "pod-policy.example.com" rules: <ul> <li>apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE"] resources: ["pods"] scope: "Namespaced" clientConfig: service: namespace: "example-namespace" name: "example-service" caBundle: "Ci0tLS0tQk...&lt;<code>caBundle</code> is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.&gt;...tLS0K" admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 </li> </ul> </li> </ul></code></pre> </div> <h2> Further Resources </h2> <ul> <li>To learn more about validating admission webhooks and dynamic admission control in general, see the <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/" rel="noopener noreferrer">Dynamic Admission Control</a> reference from the <a href="https://kubernetes.io/docs/home/" rel="noopener noreferrer">Kubernetes docs</a>.</li> <li>You can find the definitions of the <code>AdmissionReview</code> object in <a href="https://github.com/kubernetes/api/blob/c59710ee51e70325197298cd6243d32f1aa85df0/admission/v1/types.go#L40" rel="noopener noreferrer">k8s.io/api</a> repository.</li> <li>I also like to look at the Kubernetes API reference. You can find the <code>ValidatingAdmissionConfiguration</code> spec <a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io" rel="noopener noreferrer">there</a>.</li> </ul> kubernetes go