Skip to main content

Admission Controller

Admission controllers are cluster-scoped plugins that intercept requests to the Kubernetes API server after authentication and authorisation, but before any objects are persisted. Like web filters/middlewares.

tip

Kubectl -> AuthN -> AuthZ -> Admission Controllers -> Create/apply/update resources

e.g.

  • AlwaysPullImages - Forces every container to pull its image on each new pod creation
  • DefaultStorageClass - Automatically assigns a default storage class to PVCs that don't specify one
  • NamespaceLifecycle - Prevents creation of objects in namespaces being terminated
  • LimitRanger - Enforces resource limits on pods/containers
  • ResourceQuota - Enforces resource quotas for namespaces
  • PodSecurityPolicy - Controls security-sensitive aspects of pod specification
  • NodeRestriction - Limits kubelet's permissions to modify its own node
  • ServiceAccount - Automates service account management
  • ValidatingAdmissionWebhook - Calls external webhooks for validation
  • MutatingAdmissionWebhook - Calls external webhooks that can modify objects
k get mutatingwebhookconfigurations.admissionregistration.k8s.io
k get validatingwebhookconfigurations.admissionregistration.k8s.io

Listing Enabled Admission Controllers

The admission controllers are typically configured via the --enable-admission-plugins and --disable-admission-plugins flags in the kube-apiserver manifest.

ps -ef | grep kube-apiserver
#
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,...
--disable-admission-plugins=SomePlugin

k exec -it kube-apiserver-controlplane -n kube-system -- kube-apiserver -h | grep 'enable-admission-plugins'

Sometimes they come from a configmap:

kubectl -n kube-system get cm kube-apiserver -o yaml
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations

Two types of admission controllers

Mutation (changes resource) and Validating.

Custom Admission Controllers

An API server to call through MutationAdmissionWebhook and ValidationAdmissionWebhook to send an AdmissionReview request resource and we get AdmissionReview response back.

ValidatingWebhook Manifest
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: deny-latest-tag
webhooks:
  - name: deny-latest.image.validator.k8s.io
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["pods"]
    clientConfig:
      service:
        name: image-validator
        namespace: default
        path: /validate
        port: 443
      caBundle: <BASE64_CA_CERT>   # base64 CA cert for the service
    admissionReviewVersions: ["v1"]
    sideEffects: None
    timeoutSeconds: 5
    failurePolicy: Fail