In Trendyol, we are using Kubernetes Admission Webhooks quite heavily. Because Kubernetes is an extensible platform and we love to extend it by writing our own Kubernetes Admission Webhooks and Operators according to our business requirements. If you decide to do the same thing within your organization, I wrote two blog posts (part 1 and part 2) about how to start writing your own Kubernetes Admission Webhooks. I recommend you take a look at those before continuing to read this one. …
In the previous post, we mostly had talked about writing Kubernetes Admission Webhooks by using the operator-sdk tool and created our first Mutating Admission Webhook against our custom resource type. But, this time we are going to create another type of Admission Webhook called “Validating” for core types such as Deployment, Pod, etc. instead of the custom resource type because we may not always have some kind of custom resource type. Also, we are going to use “kubebuilder” to scaffold the project template. Why? Because change is always good. …
Before jump into the details of how we can write one of these, let's explain a little bit about, what are they, what we can do with them.
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to the persistence of the object, but after the request is authenticated and authorized. There are lots of admission plugins shipped with the Kubernetes, you can check the list to get more detail about them. It is worth noting…
“Dynamic Config&Secret Management” çözümümüzü en basit haliyle hatırlatmak gerekirse, ekiplerin uygulamalarının sahip olduğu sensitive ve non-sensitive konfigürasyonlarını bir dosyaya çıkartmak ve bu dosyayı, değerlerin değişimine uygun şekilde güncel tutmak diyebiliriz. Eğer bu konudaki çözümümüzle ilgili yazıları henüz okumadıysanız sırasıyla aşağıdaki linkteki yazılara göz atmanızı tavsiye ederim. 😊
Başlıktaki “Tamamen Farklı Bakış” ile neyi kastettiğimizi açıklayacak olursak, bu yazımızın temel amacı mevcut çözümümüzü farklı şekilde tasarlasaydık bunu nasıl yapabilirdik diye beyin fırtınası yapmak ve aslında bahsedeceğimiz konuya benzer çözümü sunan…
·⛵☀️🌊 Dynamic Config&Secret Management Sidecar Geliştirme Serüvenimiz
· ✨ Dynamic Config & Secret Management Sidecar
∘ 👨 Sidecar Containerımız non-root bir kullanıcıyla çalışmalı
∘ 🧰 Sidecar containerımız içerisinde herhangi bir shell veya paket yöneticisi içermemeli
∘ 📍 Containerımızın başlatacağı process PID 1'de çalışmalı ve terminasyon sinyallerine cevap verebilmeli
∘ 🛡 ️Güvenlik açısından göz önünde bulundurduğumuz maddeleri nasıl çözüyoruz ?
∘ ⚙️ Main process PID 1 açısından göz önünde bulundurduğumuz maddeleri nasıl çözüyoruz ?
· 📝 Özet
· 👀 Referanslar
Bir önceki yazımızda Dynamic Config&Secret Management sürecini Kubernetes ile beraber nasıl kurguladığımızdan ve Sidecar geliştirme süreçlerimizden bahsetmiştik, bu yazımızda ise sidecar…
Let’s assume that we are a small organization, and at this organization, we want to migrate our workloads onto Kubernetes, but security is our primary concern and not an afterthought. So, we have already set up our clusters by following the security best practices provided by the Kubernetes official documentation. But when our organization starts to grow, we had to make some decisions to protect our Kubernetes environment and control what end-users can do on the cluster. …
I’m planning to create a series of post related to the Kubernetes Auditing topic and this post is the first part of the series that I’m planning to do, so in the next post, I’ll show you how we can collect and visualize Kubernetes Audit logs using PLG(Promtail-Loki-Grafana) Stack.
First things first, we need to explain what Kubernetes Audit Logs are and what treasures are hidden inside of those for us, so let’s get started with explaining what Kubernetes Audit Logs are.
As you already know, Kubernetes has a control plane to manage the whole cluster lifecycle and this control…
One of the features of OpenFaaS is an auto-scaling mechanism. The auto-scaling means is that you can scale up/down your function instances as demand increases. Also, OpenFaaS provides a feature called zero-scale. By enabling this feature, you can scale to zero to recover idle resources is available in OpenFaaS.
Using OpenFaaS as an OPA’s Bundle API, you can have all the features by default with less effort. Also, you can’t have to manage to build/push and deploy phases with your Bundle API.
In this post we are gonna learn:
In this guide, we are gonna talk about the journey of writing a kubectl plugin for Kubernetes Admission Webhooks. Let’s divide this article into three parts, first, we are gonna explain how we decided to write a plugin for Kubernetes Admission Webhooks, then which tools we used for writing a plugin, how we accomplished distribute the plugin via Krew.
In this post, we are going to demonstrate that how can we manage TLS Certificates for our Kubernetes Admission Webhooks automatically with the help of our brand new project k8s-webhook-certificator and Helm Hooks.
Let’s give a quick introduction about what they are :
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to the persistence of the object, but after the request is authenticated and authorized. The controllers consist of the list below, are…