Apps, kubernetes

Mutating Admissions Controllers with Open Policy Agent and Rego

First up, quick refresher – what is a mutating admission controller?

Well it’s a nice feature in Kubernetes which lets you intercept objects when they’re created and make changes to them before they are deployed into the cluster.

Cool right? All those fiddly bits of YAML or hard to enforce company policies around network access, image stores you can and can’t use, they can all be enforced and FIXED automagically! (Like all magic caution is advised, choose wisely – queue Monty python gif)

giphy

So what’s the catch? Well without Open Policy Agent (OPA) you had to build out a web api to do the magic of changing the object then build/push an image and go through maintaining the solution. While you can write them quite easily now with solutions like KubeBuilder, or if you really love node I build one using that too, I wanted to see if OPA made things easier.

So say you want something more dynamic, flexible and a little easier to look after?

This is where Open Policy Agent comes in, they have a DSL language specially designed to build out and enforce complex policies.

Today I’ve been having a play with it to work out if I could build a controller which would set a certain nodeSelector on pods based on which namespace they are deployed in.

I’ll go over this very broadly I highly recommend looking at the docs in detail before diving in, I lost quite a bit of time to not reading things properly before starting.

I won’t lie, getting used to the DSL (rego) was painful for me, mainly because I came at it thinking it was going to be really like Golang. It does look quite like it but that’s where the similarity ends, it’s more functional/pattern matching and better suited to tersely making decisions based on data.

To counter the learning curve of rego I have to say, as I’ve raised issues and contributions the maintainers have been super responsive and helpful (even when I’ve made some silly mistakes) and the docs are great with runnable samples to get started.

Lets talk more about what I built out.

Continue reading

Standard
Uncategorized

Using Azure DevOps to speed up Docker builds

[Braindump – warning]

So I’ve been playing with devcontainers for Visual Studio Code, they’re awesome… go play with them. They let you use a Dockerfile to describe all the tooling needed for devs to get started with your project.

One of the side effects is that you have a nice Dockerfile which you can then also use it for your build server meaning that you never have an inconsistency between your local setup and your CI server.

In this example I build a golang project and use Azure DevOps and use caching to minimize the amount of time for each build.

Standard
Uncategorized

Misusing C# 8 `using` to get Golang `defer` in DotNet Core 3

I started out with C# since then I’ve learned other languages and one of my favorites is Golang.

When I was reading the release notes from C# 8 I saw the new using declaration and through it was awesome… I also realized it could be misused to give C# the defer keyword from Golang.

Whats defer in Golang do?

defer in Golang lets you define a function that will get run when the code block exits.

The example below will print:

hello
world

Code: Try it out here


package main

import "fmt"

func main() {
    defer fmt.Println("world")
    fmt.Println("hello")
}

I’m a big fan of this approach as I think it’s clearer to read than the standard try finally pattern as it lets you put the cleanup code directly below the code which is making the mess like:

    f := createTempFile("/tmp/defer.txt")defer deleteTempFile(f)writeFile(f)        // here the `deleteTempFile` method gets called

How can we do this in C# 8 with the new using syntax?

Well now because using var x = new thing()exists you can write a simple class called defer which runs a function when the current method exits, just like in golang

The interesting thing is that as a using statement generates a try finally under the covers these defer functions will still run if an exception is thrown.

The example below will print:

Hello World!
Defer 2
Defer 1
Exception thrown: It's all one wrong

Code:

Should you do this? Well that’s kinda up to you, I don’t think it’s super nasty but I’ve not used this in anger so probably worth testing out a bit before going all out.

Standard