Explore Kubernetes architecture, frameworks, and interfaces. Gain insights into deployment, scaling, and management of containerized applications. Discover extensibilities and get hands-on customizing Kubernetes.

k8s-go.tar.gz

k8s-go-v2

go-env-v2

Kubernetes is a popular open-source container orchestration system that automates the deployment, scaling, and management of containerized applications. This course is designed to provide a comprehensive understanding of Kubernetes and its programming concepts. You’ll dive deep into advanced topics of Kubernetes.

This course will cover topics such as Kubernetes architecture, frameworks, plugins, and interfaces. You’ll also learn the powerful extensibilities of Kubernetes and make full use of these built-in capabilities to build your customized Kubernetes.

This course is ideal for developers, DevOps engineers, and system administrators who want to learn how to master Kubernetes. By the end of the course, you’ll have a solid understanding of Kubernetes, its programming concepts, and be able to deploy, scale, and manage containerized customizations on Kubernetes. You will also get hands-on experience extending Kubernetes to meet your requirements.

Programming with Kubernetes

# Authentication and authorization

All the requests that are being sent to the `kube-apiserver` need to pass through the authentication, authorization, and admission control stages, and then come to the final resource validation and persistent storage stages.

It's quite straightforward that all the requests need to get authenticated and authorized, because we need to know exactly who the request senders are and make sure they have the privileges to do these operations.

# Why do we need admission control?

The `kube-apiserver` serves all the CRUD requests. However, sometimes we need more granularity on the resource operations, not only RBAC rules. For example, creating a resource in a terminating namespace shouldn't be allowed. Pods running with insecure or malicious Docker images may put the whole cluster in danger. Sometimes, we want to add our own rules and strategies when objects are being created, updated, and deleted.

As a result, we need to have a way to intercept the requests and make some decisions to allow or deny the requests, apply our default configurations, inject sidecar containers, etc. These admission controllers work as gatekeepers that enforce a series of configurable rules to check the validity of the requests and allow customizations on what is allowed to run in our cluster.

## Advantages of admission control

Admission controllers bring in multiple advantages, such as:

- **Security:** Admission controllers help tighten the security of the Kubernetes cluster. Several built-in admission plugins on security are provided, such as `PodSecurity`, `StorageObjectInUseProtection`, `ImagePolicyWebhook`, `NodeRestriction`, etc. These plugins keep the cluster safe and help keep the Pod running in a deterministic state.
- **Governance:** The `kube-apiserver` provides services not only for Kubernetes components, but also for other users/clients. A group of plugins like `EventRateLimit`, `ResourceQuota`, `NamespaceLifecycle`, `AlwaysPullImages`, and `CertificateSigning` can help us better govern the cluster. For example, too many events may flood the `kube-apiserver`. Setting limits on resources can help keep our cluster from resource exhaustion. The admission plugin `NamespaceLifecycle` can't help prevent the deletion of Kubernetes reserved namespaces (`kube-system`, `kube-public`, `default`) and creating resources in terminating namespaces.
- **Defaults:** Sometimes, we might want to set a default value on the objects being created and updated. For example, we may want to apply the default resource limits and requests. Plugins like `LimitRanger`, `DefaultStorageClass`, `ServiceAccount`, `RuntimeClass`, etc., can inject default values and configurations when creating Pods.
- **Third-party integration:** In addition to the built-in logic, `ImagePolicyWebhook`, `ValidatingAdmissionWebhook`, and `MutatingAdmissionWebhook` also provide us with ways to implement our own strategies. By running as an external service, the `kube-apiserver` will call the webhook to do the validating or mutating operations.

Get introduced to admission control in Kubernetes.

Before Getting Started

Kubernetes Architecture

Customizing AuthX

Dynamic Admission Control

Customizing Schedulers

Extending APIs with CustomResourceDefinition (CRD)

Extending APIs with Aggregated APIServer

Container Network Interface

Container Runtime Interface

Extend kubectl

How to Write Good Kubernetes Operators

Assessment of Programming with Kubernetes

Wrap Up

Introduction to Admission Control

Authentication and authorization