Kubernetes is a popular container orchestration tool developed by Google. It is used by software engineers to deploy and scale container-based applications in DevOps pipelines. Due to its popularity, many organizations are now adopting Kubernetes for deploying applications in the cloud.

The Kubernetes API server executes requests received to create Kubernetes components such as pods, services, deployments, storage, and persistent volumes, and stores the state of the component in the etcd. You can use the command line to pass the request to the Kubernetes server. However, developers prefer YAML file format data as it is easy to use and doesn’t have a steep learning curve.

You can easily customize the way the Kubernetes server works. Kubernetes offers custom resources (CRD) and custom controllers to extend/customize the built-in functionality of the Kubernetes server. Nowadays, Kubernetes offers another useful feature: the webhook, which is used to modify (mutation) the incoming request object (data) and approve or reject (validation) the request. To validate and mutate the request object, you need a Kubernetes admission controller.

This will be very difficult to follow if you do not understand mutation and validation. So, first, you need to understand what validation is. Let’s see a simple use case.

Say, for example, you are creating a pod by the name ‘app-oracle’. Your organization might have some rules regarding the name of the pod. They might not want to use the database and common language name in the pod name. So, you will have to reject the pod creation request if it has a name that violates your organization’s policy. This can be done using the validation controller.

Whenever you request the creation of a pod that contains an inappropriate name, that pod creation will fail if you use the validation webhook. This is just one example of validation. Validation is like validating a mobile number, email, credit card number, etc. So, you can create custom validation rules using the validation webhook.

Mutation means you can modify the request based on your needs. Say, for example, you are passing a request to the Kubernetes server to create a pod, but it is missing some labels. That means you failed to give some labels a value. Syntax-wise, those labels are not mandatory. However, assume you require those labels. By using the mutation webhook, you can add the missing labels in the request before validating them. Thus, the validation won’t reject the request. The mutation webhook will add those labels with some default values even if the developer fails to create the labels.

The mutation is the first webhook in the process. It will modify the request data based on the conditions. Then, the validation webhook will validate the request whether the request contains valid data or not. If the validation is passed, then the validation webhook will allow the execution of the code and store the state of the Kubernetes component in the etcd with a successful response. If the validation fails, it will send an error response.

The admission controller intercepts the incoming request to the Kubernetes API server before storing the object in the etcd but after the incoming request is authenticated and authorized. Mutation and validation can be done using admission controllers. The Kubernetes API server has two admission controllers. They are MutatingAdmissionWebhook and ValidatingAdmissionWebhook.

The following diagram explains how the request is passed to the Kubernetes API server. First, the API request is authenticated and authorized. Then, the mutation webhook modifies the request data based on the conditions. Thereafter, the validation webhook validates the request data to approve or reject the request. If the validation is a success, the Kubernetes component is created and stored in the etcd.

Kubernetes enables many admission control plugins by default. Use the following command to see the enabled admission control plugins list.

The sample output for the above command is given below.

Use the enable-admission-plugins command to enable the needed admission plugin.

To disable the admission plugins, use the disable-admission-plugins command.

GitHub contains a simple validation and mutation webhook. The code is written in the GO language.

This project is not production ready. It demonstrates how to create a simple and lightweight webhook in Kubernetes. This demo contains both validation and mutation webhooks. The validation webhook will check the pod name to see if it contains an inappropriate name or not. If the pod does not meet this validation, the pod creation will fail and the mutation webhook will inject some needed labels such as KUBE:true and minimum pod lifespan.

There are many tools developed in the software industry to ease the developer’s and operation team’s work. Kubernetes is one such tool. With it, scalable container-based applications can be easily created. It is a big boon to the deployment team and DevOps engineers, offering various methods to override its built-in functionality. Webhook is one useful method to modify Kubernetes’ built-in functionalities.

Webhooks can be created using admission controllers. The admission controller has the mutation and validation webhooks. The mutation webhook is executed before the validation webhook. The mutation webhook will modify the request data based on the condition. The validation webhook will approve or reject the request. If you need data that is not present in the request, the mutation will add the data to avoid rejection from the validation webhook.

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/.

AWS | DevOps | Kubernetes | Terraform| Angular | Deep&Machine Learning, Ionic, Full Stack Developer. Learn more at https://github.com/bharathirajatut