 Hello. Welcome to Kubernetes Admission Controllers from Scratch. I'm going to whack an ish on there because I can't teach you all of the underlying technologies surrounding it. So there's going to be a little bit of what I'm not going to show you, and then a little bit of what we are going to learn. It is an instruct workshop, so it kind of should guide you through what we're going to do without too much interaction. However, if you get stuck, these are my lovely and talented proctors. This is Matt Johnson and Angela Gizzi. I've been saying it wrong the whole time. My name's Steve Jageir. Do you want to introduce me if I say anything about who you are? No, great. Anonymous is that's what security is all about. If you know what Admission Controllers are, great. Hands up if you know what they are already. You're like, cool, I just want to learn how to make one. That's most of you. Yeah, it's essentially a very simple Kubernetes web hook that intercepts any request to instantiate or make something persistent within NCD and then checks it to make sure it is doing something or there's a lot of different types of Admission Controllers that are built into Kubernetes. We're not going to talk about all of them. We're only really going to talk about validating Admission Controllers. This is what some people consider the last line of defense to make sure you haven't done something absolutely horrendous. It should never be your first line of defense. And we're going to talk a little bit about consistency of policy as code as a takeaway from this, because ideally, you've done everything by the time you get to an Admission Controller, and it's just making sure that you're not changing or manually doing something that's going to absolutely shoot you in the foot. Just as a little bit of a reminder, the two types of dynamic Admission Controllers are validating and mutating. The validating is the one I just mentioned. It passes an Admission Review Request to validate what it is, and that's encapsulating the object you're trying to persist. And as part of this workshop, we're going to see what that looks like. And that was one of the most important pieces that I had to get through. A little bit of background. The reason this workshop exists is because I had to write an Admission Controller for the open source project I work on, which is called Chekhov. It's a policy engine written in Python. And they asked if we could have an Admission Show, and I thought, no problem. So I went online looking for information on how to write one, and then there is hardly anything really. There's no description of the Admission Review Object anywhere in the documentation, so I thought, oh, good god. All right. So this is me documenting what I did and then turning it into a workshop for you. Mutating Admission Controllers, finger in the air as to whether I agree with them or not. I don't think you should ever mutate anything on its way in. Sometimes you need to, but I think it's just generally a bad security practice. And don't argue with me after it's over. The anatomy of it is very simple. There's an API handler. It authenticates to make sure you're even allowed to. The mutating Admission Controllers will modify whatever you're doing. Then once the schema is validated and just make sure it's not total nonsense, it goes to the Validating Admission Controller, and we're going to write that little web hook code implementation piece together today. And if it is acceptable, it becomes persistent in your cluster. I stole this diagram from Sistig. Thanks very much, Sistig, for that. What is going to be in our container today? We're going to be using a bunch of technologies that I'm not going to necessarily teach you how they work, but we're going to see a demonstration of what they do. We're going to use the Gunicorn, I don't know how to say, WSGI as a conductor for the format of the Admission Control. We're going to make a Python Flask application. I will provide a lot of little frameworks that will just have big gaps in them, and that's what we're going to fill in. I'm not going to say, here's a blank screen, write your Python web hook from nothing. Not that mean. We'll deal with the manifest, submission configuration, the deployment. We'll generate some certs, and we'll create the service manually using kubectl. All of this will be provided to you via Instruct. The link for Instruct, I have put it in so many places because I had no idea how to convey it to you all when you're all sitting there with 20 different laptops. We're also going to use this. If you've ever seen this before, hands up if you know it. It's awesome. It's a totally anonymous ephemeral registry. You don't need authentication. You can push images and pull, and we're going to use it today, and just put a time limit on it based on the tag, and you're going to see how that works. It's really good for both workshops and capture the flags. Keep that in mind. Should you be in a capture of the flag in the near future, it might help you solve some problems, not busting control plane on that at all. What we won't cover today, the vast list of existing admission controllers. I'm not going to get into the new alpha feature for validating admission controllers that comes with Kubernetes 1.2.6 in common expression language because it's not 100% totally functional. So it would be a disaster. Come to the next secure con, and I'll do that one. Not going to get into how to create a flask application, but I will provide you a basic framework, and you will learn from it. You don't need deep knowledge of Kubernetes manifests. We either provide you with it, or if it's generatable, because some you can from kubectl just do a dry run and generate what you want. If it was possible, I'd do that. The admission configuration, there's no way to generate it. So I've given you the shape of it. And I'm not going to go too deep on kubectl. All commands are provided with an explanation. You can cut and paste. You can be super lazy on this, or you could dive as much as you want. Pre-requisites, you do need some way to get access to a terminal. Laptops, I see most people have that, which is awesome. The Kubernetes cluster will be provided, just a single node. I will ask you to be kind to the Kubernetes cluster and be kind to the VM that you get provided by an instruct, because it looks like you kind of have good access to it. I don't know. So don't mess around. And you need the instruct workshop invitation. So there's many ways to get access to it. If you're on the CNC of Slack, there is a channel now called CNSC, AC Workshop. You can go to the channel, you can join it, you can ask questions via the channel, I'll be watching it. And the link is the first thing that's posted in that channel. You just click it and boom, you're going to have your invite. It will ask you for your name and email. That is only so I can tell via the dashboard who you are. I'm not going to use your email for anything evil. It's just there. I tried doing the workshop with an anonymous, and all of the workshops just had squiggly anonymous. So you asked me out of problem, and you said, I can't see. I can't log into where you are to fix it, because I don't know who you are, just some random code. So we decided to do it that way. For which I apologize. So the QR code does it, the link there. If you go to Sketch, the slides are there, and the link is in the slides. If you go to Sketch and you find my profile, enter my profile, there's a website, it's the invite. So there's like five ways to get this invite. One of them should work. I hope. I think I pre-started something like 20 VMs. One, two, three, four, five, six, seven, eight, nine, ten. Okay, so slightly over 20, so some of you may have to wait three minutes when you first go in, because that's how long it takes to start. Those of you who are impatient will be rewarded, because there should be some hot VMs ready to roll. Is there any afterwards? Takeaways. What I'm hoping you get out of this is, admission controllers are good. That's good. The basics of how they work under the covers, I shouldn't say that, under the hood, that sounds less weird. How to build a basic admission controller. What a secure Kubernetes manifest looks like. There's some additional takeaways in terms of security. I hand you a deployment, but it's actually a deployment that passes almost every possible, whether it be Oprah or Python or Caverno, it will pass everything, because if you're gonna build an admission controller that's checking, you shouldn't be a hypocrite, you should actually be using a secure deployment in the first place, and it's actually really hard to make one of those. So I've kind of handed you an almost finished deployment that does all the good things. Taking it to the next level as a policy as co-engine. The last step, we actually add the open-source project that I'm working on, and as is Matt back there, he is a co-author and co-contributor to check off. We're gonna add that as the last step, and you can suddenly get a policy engine with thousands of rules and go from zero to hero really fast. And then talk a little bit about policy consistency because the reason we created the admission control in the first place is because we had our policy engine embedded into the IDE, it works in VS Code, and it was all great, but we didn't have anything at the end, so we just tried to make the whole thing consistent, and this is where it came from. The complete super done version of this is called Worf. I worked with a startup now acquired called Bridge Crew. There's a Star Trek theme, and if you con on to that, the open-source is called Check Off, the admission control is called Worf, Chief Security, you see what I'm doing there? All right. You can go check that out. If you wanna see what the result of this thing is, but amped up, you can go check that out under Bridge Crew, and we can do it. So I think we're ready to go. Forget that. Hands up if you cannot get the link. Everyone has, okay, better. Hands up if you can get the link just so I know you're all good. All right, everyone's moving. If everything seems good and you've got, it started excellent. If you wanna ask questions, feel free. It should be kind of a DIY. The fastest person who did it, by the way, both Angela and Matt did it. Angela's kind of our marketing guru. No real Kubernetes experience. Did it in about the time allotted. Matt knows a ton about Kubernetes, got it done in about 40 minutes, and barely read anything. So I figure, depending on what you can do, you should be able to get this done pretty quick. Cool? All right, away. I'm gonna put it up on the screen, but you don't have to talk to me unless you really need help. You can ask questions just live or via the Slack, and go. Oh, something I should note. I didn't turn off this, the Skip 2, because I can, but I thought, well, if you just decide whatever, you can jump. The workshop will be available for a couple days after, so once you get started, you can come back to it. Or if you screw up an exit for some reason, and you were at level four, you can jump Skip 2, and I've got scripted back ends that actually do it, does all the thing for you, and puts all the things in place. You can kind of jump around. You can cheat to your heart's content, essentially. And yes, it is competitive. There is a leaderboard I am watching. Just based on that, the biggest problem anybody ever had doing this was cutting and pasting. Particularly with the Amelon Denting, so double check if something goes wrong. That's generally why. The code editor does a good version of highlighting intending problems. So if you see a red squiggle, you've done something wrong. I probably should point out that the sign outside the door says the workshop goes till 11.35. That isn't correct. It goes until 12.25. The screen was wrong. So just in case you're wondering, you're expecting it to end right now. It's never gonna end. Who's winning, Steve? It's never a competition, but it is. So Josh is winning. Who's Josh? Yeah, you're killing it. Although people are catching up, so there's time left yet. Yeah, three and four are the hardest, I think. So if you pass that, you're on the home stretch. There's no real prizes, it's just pride. There is like stickers in junk on the back corner. If you like stickers, then when you're done, you can feel free and pins. Snazzy pens. Snazzy pens. Yeah. Is everyone doing okay? Does anyone need a hand? No, all good. You can tell Matt's bored. Most of you are probably past it, but you would notice that when the docker build goes, there's a couple of red warnings. I tried to get rid of as many warnings as I could, but then I was like, gosh, they're all fine. They're just warnings for certain things missing in the container. V2 of this, I'll get rid of all the warnings. The other thing was there was a question about the label that gets added to the namespace and why that's there and why it's blocking. I do mention it in the text. I do mention as well at the very end of the workshop, like a quick key takeaway is that having a label, you can add to a namespace to make the entire namespace ignored. I did not do that when I first wrote this, and I shut down all the CUBE system stuff by accident. So not only do you want to add it to your own admission controller namespace, you would actually add it to all the CUBE star, just to make sure you don't actually kill off your entire infrastructure by accident. We don't have a prize for finishing first, but if you just want to look over and make them feel uncomfortable, they're leaving. Well done. 30 minutes is about the fastest Matt did it, and Matt actually helped write the thing. One thing before you go, and I'll say to you, and I'll say to everybody else, there is an AC workshop in Git under my IDE EuroGig. That's where it gets cloned from, but I deleted the .git in the VM. So if you wanted to, you could set the config and push it into your own Git, so you have it, and the VM will be live for another day, so you can do it whenever, cool? All right, awesome. If you get to the very end, I have worded something badly if you happen to get there. You can sort of see on the screen, this is not what it looks like to you, but this is what the text looks like. This if result equals equals true. I don't want this to go here. I want it to go after the else. Here, I worded that badly, so do not, I will change it in future workshops. We have three minutes until we'll be violently ejected from the room by the police. So I'm gonna say if you wrap up things, first one, you can just keep doing this. This is a good venue for you to ask questions if something goes wrong, but I'll still be on the slack during the day if you have a problem, if you're not done. If you do get done, awesome. The VM I just checked, I thought I set it up for a day. I set it up for three days. That's what happens when an instructor gives you this particular workshop about paying for it, is I abuse the resources. So you will have it for a few more days if you wanna play with it or redo it or copy it. As I said earlier, there's no.get, so if you want to do a get config and push a result and then you have it for a later, awesome. If you didn't get to the end, there's a feedback form that Angela's added just to see if you wanna learn more about open source projects that we do, fill it in. If you don't, it's optional. You could just click check and skip the whole thing, but please do, because we like to inform you. There's swag at the back, and if you wanna see what the end is, you can go to get a BridgeGoo IO wharf, and this is where this went after. This is how I built the first prototype, and then from there we've expanded it out. You'll see very similar Kubernetes manifests, services, all of this stuff is here. Looking very similar to what you built, it's just you'll find the app is a little bit more decked out a little bit, and there's a lot more going on inside the work.py. So if you kinda just wanna see how to extend it, go check it out. Otherwise, I think, any other words of wisdom that I missed, Angela or Matt, or are we good? Thanks for coming, and thanks to Instruct for hosting our workshop stuff. Yeah, yeah, big shout out, it's really easy. If you're not using Instruct, it's super-duper easy to make workshops. I'm super happy. It's like plugging away at this thing, like going how on earth am I gonna do this and distribute it, but it's easy. Otherwise, I think I just chewed up the last three minutes. We have one minute to get out. Thanks. Thank you.