►
From YouTube: Breakout Session: Guard Your Kubernetes Door with Admission Controllers - Andika Kurniantoro
Description
Kubernetes is a complex and highly distributed platform. As your organization grows bigger, it is getting more challenging to maintain your policies and compliance.
One of underrated built-in feature in Kubernetes is Admission Controllers. It has the ability to audit and enforce policies/compliance to most requests coming through Kubernetes API. And in the other side, many platform engineers working with kubernetes aren't aware of this feature.
In this talk, we will dive deep into Kubernetes admission controller, how can we leverage its potentials, and a brief demo in building our custom admission webhook with Python.
A
A
-Sometimes
the
admin
is
not
aware
and
why
it
is
better
for
every
Engineer
and
cultured
Cluster
header
to
understand
the
concept
of
this
admin
controller,
because
actually
it
has
great
potential
and
can
be
used
for
many
good
things.
So
I
am
here
given
time,
Hi,
coy
30
minutes
So.
This
includes
questions
and
answers.
If
you
have
questions
so,
let's
divide
the
daze
session
into
several
parts
Okay.
So
after
this
we'll
talk
a
little
about
security,
denpal,
siddiqi
bernades,
then
we'll
mention
a
little
bit
about
my
poster
Benedict
xvi
server,
which
I'm
sure
many
already
understand,.
A
Then
little
by
little
we
start
to
go
into
4
Mission
controller,
yes,.
We
will
peel
off
the
outer
shell
first
from
the
admin.
Controller.
We
will
not
go
too
deep
into
backlinks
and
so
on,
and
we
will
focus
more
on
Dynamic
action
control,,
namely
validating
laptops
and
meeting
laptops.
There,
will
be
a
little
demo,
so
we'll
see
how
we
can
enforce
the
losses
we
have
with
the
two
Dynamic
admission:
controls,,
both
kefir
and
introductions,
okay?
My
name
is
Andika
and
I
currently
live
in
Singapore,,
so
I
just
moved.
A
Asa
moved
in
the
ocean
to
Singapore
to
be
precise,
since
April
2018
and
while
working
here
I
worked
in
two
companies,.
So
the
first
was
in
an
early-stage
staff,
Hi
Om
Then.
The
second
is
where
I
work
now,
it's
an
enterprise
from
America,,
so
it's
really
not
jumbled,,
so
I
jumped
from
a
small
tap
to
a
large
corporate,
but
it
didn't
matter,.
It
became
more
enriching,,
so
I
took
it
back.
A
little.
A
I
started
my
professional
career
in
2007
and
was
consistent
with
the
headlight
infrastructure
until
now,,
so
I
worked
in
Jakarta
from
2007
to
early
2018,,
then
moved
to
Singapore
until
now.
Okay,,
so
a
little
story.
about
the
company
where
I
work
now
so
that
later
there's
a
bit
of
context.
Why
is
it
that
Uncle
is
so
strict
on
enforcing
the
revolution,
and
the
complaints
here
are
predictable
and
the
infrastructure
is
edited
Okay,
so
the
company
I
work
for
now
is
called
illumina,
so
the
center
is
for
banana
exports
Diego
in
California
Then.
A
A
We
are
also
active
in
all
its
humanitarian
initiatives
involving
Diane
and
channel.
Now
he
calls
it.
Research
on
cancer
is
rare,
Janet
nutrition
or
a
rare
disease
due
to
genetics
and
the
most
recent.
Of
course,
we
play
a
very
active
role
in
handling
pandemics.
All
over
the
world,
married
friends
like
to
hear
Oh
found
a
new
variant
on
covert
19.
It's
almost
certain.
He
read
the
information
and
his
grandmother
used
it.
A
Illuminate
tools
are
a
bit
showy,
yes,
substances,,
because
for
DNA
sequencing
instruments
in
science,
they
still
hold
more
or
less
Hi,
70%
of
the
market
for
Sera
around
the
world,
okay,.
That's
enough
for
seconds,.
The
text
is
enough,,
so
as
far
as
I
know
it
means,
OK,
in
Indonesia,.
There
are
already
several
instruments
that
illuminate
several
institutions.
government,
Pakek,
Man,
Institute
and
others
by
package
now
back
to
Polres,
because
we
have
to
handle
very,
very
sensitive
data
and
DNA
information.
So
we
are
very
disciplined
in
terms
of
security.
Compliance
to.
A
A
A
Familiar
with
this
diagram
So,
this
is
a
poster
Uncle
Dad,
the
poster
is
the
server
ID
Dicky,
the
successor,
so
whatever
we
do
in
the
Cluster
grade,,
starting
from
making
a
new
pot,,
creating
new
news,
deleting
the
pot,
making
deployment
in
Grace,,
etc.
Om,
and
all
of
that
is
actually
epexol
already
Yes,.
This
General
is
like
this,
and,
of
course
all
epicols
will
go
through
these
stages.
Hi,
okay,,
so
for
example,
I
want
to
create
a
new
pot,.
A
Of
course,
the
one
that
looks
the
most
visible,
please
use
the
syntax,
I'll
prepare
the
file
first,
and
so
that
it's
fast
and
practical,
I'll
immediately
execute
it
using
a
cable.
CTL
battery
investigator
qtela
play
dsf
file.al,
for
example.
Well,
first,
we
will
check
my
identity,
this
business
hi.
Oh
sorry,
so
Okay
I
think
I
made
a
mistake.
Okay.
This
is
a
sliding
window.
Okay
sorry.
This
is
actually
in
this
part
here.
I'm
testing
it,
but
anyway
I
should
be
sorry
So.
First,
he
will
check
authentic
essence
and
authorization.
A
So
authentication
is
checking
Do
I
have
the
right
to
call
the
FPI
server
and
authorization
is
Do.
I
have
the
right
to
do
this.
Action
in
this
case
is
to
create
a
new
pot.
If
all
are
authenticated,
authentication
authorization,
prayer
OK,
then
he
will
enter
the
mutation
meeting
admissions,
which
we
will
discuss
in
more
detail
in
a
moment
and
then
continue
validating
this
scheme
to
see.
If
there
is
a
problem
with
my
charity,
syntax
then
go
to
validating
admission.
A
And
lastly,
if
everything
is
okay,
then
objects
are
saved
to
the
LCD
and
then
there,
the
scheduler
that
will
execute
and
so
on,
and
so
on.
Okay
And,
after
this
we're
going
to
be
very
focused
on
these
two
things:
oh
wrong
again,
this
should
be
sorry,
yes,
multi-story
mute-mute,
remember,
mission,
validating
admissions,
ok,.
A
A
A
Apply
it
to
the
points
whose
names
must
be
sworn
in,
to
be
more
detailed.
Okay,
for
example,,
because
earlier
in
the
context
of
goalkeeper
Dedes,,
our
package
will
be
for
example,.
We
have
several
police,
for
example,.
The
first
police
we
want
to
invoice
is
Kenten
Rendy,.
The
deployment
must
be
free
from
Malaysia
software,,
for
example,
or
Malware
So.
No
diploid
containers
that
have
melted
tolls
are
persipal
hammer.
The
second
example
is
all
running:
resources
are
squeezed.
Clusters
must
be
clear.
Who
is
the
person?
A
So
when
there
is
a
problem
there
is
a
problematic
pot
or
Deeply
has
a
problem
with
not
being
able
to
quickly
know
whose
it
is
and
who
is
responsible?
Answer,
my
god
OK,,
the
third
example,
for
example,,
so
all
ports
running
are
considered.
Cluster
must
have
explicit
resource
limitations.
So,
you
can't
bathe
Playport,,
which
can't
be
allowed,.
No
CPU
and
memory
usage
limits,
ca,
n't
be
called
pollution.
A
We,
as
administrators
have
to
be
able
to
translate
Fals
fals
The
previous
example
was
a
chair
that
could
be
implemented
in
Paris,
because
what
was
like,
for
example,
the
container
being
deployed,
was
not
allowed
Beb,
it's
not
allowed.
The
embarrassment
that
everyone
knows,
but
how
we
can
reinforce
this
collection
to
Friendcaster
is
a
different
story
and
different
organizations
will
have
different
methods,
would
be
Okay,
so
nah
Okay.
So
an
example
for
palsy,
the
first
container
that
gets
debited.
Let's
say
it's
free
from
Malware,
we'll
actually
we'll
cover
this
Didi
Hadith.
A
A
Okay,
so
maybe
I
don't
have
to
use
it.
The
video
shouldn't
save
the
route.
Okay,
I
hope
it's
back,
okay,
uncle
Sera
Daya
Oh
yes,,
it's
trash
until
it's
wrong
to
reply,
Venus
Okay,.
So
we
put
the
clean
container
into
a
clean
repository,,
then
carry
the
character
all
over
the
starter,
governor's
activities,,
all
the
ports.
We
want
to
diploid
force
it
so
that
he
can
only
take
images
of
the
doctor's
containers
from
the
reporter.
Yes,.
We
cleaned
up
earlier.
How.
Do
we
force
this?
Forcing
this
information,
later
we
will
use
something
called
admission:
controllers.
A
A
Okay,
we
go
into
the
admin
controller,,
so
in
short,
the
admin
controller
is
a,
yes,.
We
can
say
a
code
or
script
that
he
will
intercept
all
requests
that
go
to
the
Ferrari
episerver,
and
he
will
do
the
first
thing
he
can.
Do,
is
first
validation,
validation
is
we
will
make
rules,?
Then
he
will
matching.
Are
the
rules
that
we
have
and
objects
that
enter
our
Cluster?
A
If
he
complains
about
the
rules
that
we
have
he
can
enter
if
he
doesn't
meet
the
requirements
from
Roshan,
we
have
baseball
matches,
Okay
we'll
reject
Hi,
that's
called
the
second
validation
in
those
mutations,
We
change,
some
parts
of
the
object,
OK?
For
example,,
you
can
add
a
label
or
add
volume
or
add
a
site
care
container,
for
example,.
Then
there
are
two
types
of
passing.:
The
first
is
just
validating
between
passing
and
failing..
The
second
is
doing.
Mutations.
A
A
A
Hamster
according
to
him-
and
we
will
know
that
all
of
this
will
actually
be
inboxed
by
default
everything.
So
we
will
for
this
time
we
will
discuss
these
two
webhops
that
we
can
tinker
with
Okay.
We
Okay
we
Okay
actually
to
form
set
book
pollution,
there's
a
shoot.
A
tool
that
is
very
popular
is
called
Open,
polis,
Open,
pallescens
or
OK.
But
if
we
want
to
implement
it
OK
we
have
to
learn
a
scripting
or
something,
I,
don't
really
agree.
If,
you
call
it
language,,
there's
a
name
for
scripting.
A
It
hurts
for
today's
demo,.
We
're
going
to
try
something:
simpler,
simpler,,
Gibernau
oil
or
cadre
Nur
Hai
in
Greek.,
They,
really
know
what
pronounce
is
standard.
So
yes,.
The
open
source
project
can
be
seen
here,.
So
in
my
opinion,
he
is
quite
capable
enough
to
demand
police
spalsy.
We
use
the
admin
controller,
so
it
can
validate,.
It
can
mutate
the
object,
it
can
even
get
a
new
Centered,
resource,
and
so
on,
all
of
this,.
All
of
this,
keep.
It
features
a
deep,.
A
A
Hi
I
hope
there's
still
good
luck.
There
Yes
it's
still
there
and
it's
still
clean
Okay.
Let's
go
first
I
'm
going
to
install
Om
Gibernau.
Actually
here,
if
you
want
to
come
to
the
Gibernau
website,
they
give
you
a
guide
for
installation
and
it's
very
easy
for
businesses.