My Authors
Read all threads
THREAD: How does the Kubernetes API work?

The Kubernetes API is made of several smaller components.

In this thread you will learn about the component involved in storing resources into etcd.
1/10

When you type ๐š”๐šž๐š‹๐šŽ๐šŒ๐š๐š• ๐šŠ๐š™๐š™๐š•๐šข -๐š ๐š–๐šข.๐šข๐šŠ๐š–๐š• your YAML is sent to the API and stored in etcd.

๐˜‰๐˜ถ๐˜ต ๐˜ธ๐˜ฉ๐˜ข๐˜ต ๐˜ช๐˜ด ๐˜ต๐˜ฉ๐˜ฆ ๐˜ˆ๐˜—๐˜ ๐˜ฅ๐˜ฐ๐˜ช๐˜ฏ๐˜จ?
2/10

The API has a single block in the diagram, but the reality is that several components are involved in processing your request.

The first component in the API is the HTTP handler.

You can think about it a web server ready to receive HTTP requests:
3/10

In that part, the API has to make sure that:

- You have access to the cluster (authentication)
- You can create, delete, list, etc. resources (authorisation)

This is the part where the RBAC rules are evaluated.
4/10

So you're authenticated and you can create Pods, what's next?

The API passes the request to the Mutation Admission Controller.

This component is in charge of looking at your YAML and modifying it.

It could add a default storage class (if you forgot one) โ€” as an example.
5/10

๐˜ˆ๐˜ง๐˜ต๐˜ฆ๐˜ณ ๐˜ข๐˜ญ๐˜ญ ๐˜ฎ๐˜ฐ๐˜ฅ๐˜ช๐˜ง๐˜ช๐˜ค๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด, ๐˜ฅ๐˜ฐ๐˜ฆ๐˜ด ๐˜ต๐˜ฉ๐˜ฆ ๐˜—๐˜ฐ๐˜ฅ ๐˜ด๐˜ต๐˜ช๐˜ญ๐˜ญ ๐˜ญ๐˜ฐ๐˜ฐ๐˜ฌ ๐˜ญ๐˜ช๐˜ฌ๐˜ฆ ๐˜ข ๐˜—๐˜ฐ๐˜ฅ?

The Schema Validation component makes sure that the resource is valid against the internal schema.

You don't want malformed YAML to be stored in the cluster.
6/10

If you tried to deploy a Pod in a namespace that doesn't exist, who stops you?

The Validation Admission Controller stops you.

Are you trying to deploy more resources than your Quota?

The controller stops you again.
7/10

If you managed to pass the Validation Admission Controller, your resource is safely stored in etcd.

Well done!

Now that you know about the Mutating Admission controller wouldn't be great if you could design your own?

Good news, you can.
8/10

You can register your scripts with the Mutating Admission Controller.

You can also do the same with the Validating Admission Controller.

You could design your checks and decide if a resource should be rejected from reaching etcd.
9/10

Two excellent examples of custom Admission controllers:

- Istio automatically injects an extra container to all Pods (mutation)
- Gatekeeper (Open Policy Agent) checks your resources against policies and reports violations (validation)
10/10

If you wish to explore more, check out this article on custom admission controllers banzaicloud.com/blog/k8s-admisโ€ฆ

Also @echorand is about to publish an article on the Learnk8s blog about custom validation checks. Subscribe to the Learnk8s newsletter here learnk8s.io/newsletter
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Daniele Polencic

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!