Skip to content

Week 2 - The kube-apiserver

2.1 Conceptual Core

  • The API server is the only stateful component (well-the only stateless component that talks to etcd). It exposes the REST/JSON+YAML+protobuf API, performs authn/authz/admission, and writes to etcd.
  • Every Kubernetes operation-kubectl apply, controller reconciliation, kubelet status update-is an HTTP request to this server.
  • Three middleware stages every request traverses: Authentication (who are you?), Authorization (RBAC: what can you do?), Admission (mutating + validating webhooks).

2.2 Mechanical Detail

  • Authentication mechanisms: x509 client certs, bearer tokens (ServiceAccount tokens, OIDC), webhook tokens. Each is a request handler chain entry.
  • Authorization: RBAC is the dominant mode. ABAC and webhook authz exist but are rare. RBAC binds subjects (User, Group, ServiceAccount) to roles (verb + resource + namespace combinations) via RoleBinding/ClusterRoleBinding.
  • Admission:
  • Mutating webhooks: can modify the object before validation (e.g., inject sidecars).
  • Validating webhooks: can only accept or reject.
  • Built-in admission controllers: LimitRanger, ResourceQuota, ServiceAccount, PodSecurity, NodeRestriction, etc. Read plugin/pkg/admission/ in the k8s tree.
  • Aggregated API server: third parties can register their own API surface (e.g., metrics-server, Knative). The main apiserver proxies requests to them.
  • Storage: every object has a "storage version" in etcd. The server converts between API versions on read/write. This is what allows v1beta1 → v1 migrations.

2.3 Lab-"Read the Pipeline"

  1. Use kubectl --v=8 to dump the wire-level request/response of a kubectl apply. Read it carefully.
  2. Use kubectl get --raw to hit /apis/, /api/v1, /apis/apps/v1 and see the discovery surface.
  3. Configure the apiserver to log all requests with - -audit-policy-file=audit.yaml`. Apply a few changes; read the audit log.
  4. Write a tiny mutating webhook (in Go, using controller-runtime's webhook facilities) that adds a label to every Pod. Deploy and verify.

2.4 Hardening Drill

  • Audit policy template: log Metadata for every request, Request for secrets/configmaps, RequestResponse for roles/rolebindings/clusterroles/clusterrolebindings. Ship logs off-cluster.

2.5 Operations Slice

  • Wire apiserver metrics: apiserver_request_total, apiserver_request_duration_seconds, apiserver_storage_objects. Alert on per-resource latency p99 spikes.

Comments