A Heart Rate Validating Admission Webhook

In Kubernetes

I’m Tom Gallacher

Aka. @tomgco

Anatomy of Admission Webhooks

CardioOps

But how do I make it?

Validating Webhook Configuration

• Can be written in any language
• Must be TLS Terminated
• Only can be performed on CREATE, UPDATE, CONNECT or * Operations.
• Is broken on pod/exec and pod/port-forward as of v1.11.2

• For me in Node.js
• Running locally, but could use another cluster / Lambdas
• Yay!
• This means that we cannot validate requests such as read’s and watches.
• But this is a bug (some patches have been merged to master)

Lets wire it together

.

• Rules specify what to validate
• faiurePolicy is either Ignore (fail open) or Fail (fail closed)

Finally we apply this to the cluster with:

kubectl apply -f -

apiVersion: admissionregistration.k8s.io/v1beta1

kind: ValidatingWebhookConfiguration

metadata:

name: deny-heartrate

webhooks:

- name: deny-heartrate.yld.io

rules:

- apiGroups:

- ""

apiVersions:

- "v1"

operations:

- "CREATE"

resources:

- "pods"

failurePolicy: Fail

clientConfig:

url: "https://192.168.99.1:8080"

caBundle: "%%CERTIFICATE%%"

​

a sprinkle of JavaScript (or any language you want)

​

• Implement the bluetooth GATT spec for heart rates: org.bluetooth.characteristic.heart_rate_measurement
• Hardcode to my specific device MAC (for now) “d7046c50aa65”
• Create a HTTPS server listening on 8080
• Respond with:

{ “response”: { “allowed”: false, “status”:

{ “status”: “Failure”, “message”: “”,

“reason”: “”, code: 402

}}}

Step 1 - create some new pods and watch them fail!

Step 2 - Start the Server (set @200 BPM, hopefully I am not that nervous)

Step 3 - Start the Server (set @60 bpm, and my pod should create)

Step 4 - gate your kubernetes resources based on your own heart rate* :D

*Not production ready

Conclusions

Many uses, why not give them a go?

Questions?

Tom Gallacher

@tomgco

@yldio