Try โ€‚โ€‰HackMD

Admission Controllers

What are they?

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

Theis logic is called after an API request is authenticated and right before persistence of the object.

Why do we need them?

Admission controllers provide for a way to introduce custom logic in the Kubernetes API request lifecycle. Cluster administrators may want the certain resources to conform to a specificpolicy, for example, image pull policy, resource limits for containers.

Kinds

By functionality

  1. Mutating
    They can mutate the object.

  2. Validating
    They only validate the object.

By the way they are defined

Admission Control

Builtin Plugins

Generic Admission Plugins

There are three generic admission plugins defined in https://git.k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin:

  1. NamespaceLifecycle
    Ensures that resources are not created in terminating/non-existing namespaces. Also, prevents reserved namespaces from being deleted.
  2. MutatingAdmissionWebhook
  3. ValidatingAdmissionWebhook

The remaining two are what powers the Dynamic Admission Control landscape. They are responsible for acting on rules you define in {Mutating,Validating}WebhookConfiguration objects.

Other builtin plugins

They can be found in https://git.k8s.io/kubernetes/plugin/pkg/admission

plugin/pkg/admission
โ”œโ”€โ”€ admit
โ”œโ”€โ”€ alwayspullimages
โ”œโ”€โ”€ antiaffinity
โ”œโ”€โ”€ certificates
โ”œโ”€โ”€ defaulttolerationseconds
โ”œโ”€โ”€ deny
โ”œโ”€โ”€ eventratelimit
โ”œโ”€โ”€ extendedresourcetoleration
โ”œโ”€โ”€ gc
โ”œโ”€โ”€ imagepolicy
โ”œโ”€โ”€ limitranger
โ”œโ”€โ”€ namespace
โ”œโ”€โ”€ network
โ”œโ”€โ”€ noderestriction
โ”œโ”€โ”€ nodetaint
โ”œโ”€โ”€ podnodeselector
โ”œโ”€โ”€ podtolerationrestriction
โ”œโ”€โ”€ priority
โ”œโ”€โ”€ resourcequota
โ”œโ”€โ”€ runtimeclass
โ”œโ”€โ”€ security
โ”œโ”€โ”€ securitycontext
โ”œโ”€โ”€ serviceaccount
โ””โ”€โ”€ storage

24 directories, 1 file

What makes a Go struct behave like a Admission Control Plugin?

They should satisfy either MutatingInterface or ValidatingInterface or both depending on the nature of the plugin.

Ref: https://git.k8s.io/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/interfaces.go#L129-L144

Configuring builtin admission controllers

kube-apiserver accepts the following flags to allow modification of admission control behavior:

--admission-control-config-file string
	File with admission control configuration.

--disable-admission-plugins strings
	admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
    
--enable-admission-plugins strings
	admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.

Points to be noted:

  1. {Validating/Mutating}AdmissionWebhook can also be disabled if the user wants. Although, in that case, the {Validating,Mutating}WebhookConfiguration objects in the admissionregistration.k8s.io/v1 group/version need to be disabled via the --runtime-config flag.
  2. The admission control plugins can be configured by passing an YAML manifest with an object of the kind AdmissionConfiguration to --admission-control=config-file. Following is an example of the same.
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
  configuration:
    imagePolicy:
      kubeConfigFile: <path-to-kubeconfig-file>
      allowTTL: 50
      denyTTL: 50
      retryBackoff: 500
      defaultAllow: true

Configuring Dynamic Admission Controllers

They are configured using {Mutating,Validating}WebhookConfiguration objects. These objects are then read by the respective builtin admission control plugins and acted upon.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "pod-policy.example.com"
webhooks:
- name: "pod-policy.example.com"
  rules:
  - apiGroups:   [""]
    apiVersions: ["v1"]
    operations:  ["CREATE"]
    resources:   ["pods"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: "example-namespace"
      name: "example-service"
    caBundle: "Ci0tLS0tQk...<`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.>...tLS0K"
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  timeoutSeconds: 5

References

Last changed by 
โ€‰
Nabarun Pal
0
1
458

Read more

Untitled

Multiple Authz Webhook Initial Exploration Call Note: These notes are retrospective from a discussion on Jun 7 2022. Attendees: Mo Khan (Staff - VMware, SIG Auth Chair) Nabarun Pal (SMTS - Tanzu Upstream Engineering) Soumik Majumder (MTS - Carvel)

Nov 21, 2022
Best of O'Reilly Learning

Go Ultimate Go Programming, Second Edition - by William Kennedy The Go Programming Language (GEM!!!) Go in Action Concurrency in Go Kubernetes Programming Kubernetes

May 17, 2021
Release Updates

Timeline We are in Week 6 of the release (almost halfway through :yay:) FUTURE >>> Code Freeze is on November 12. https://github.com/kubernetes/sig-release/blob/master/releases/release_phases.md#code-freeze Test Freeze is on November 23.

Oct 14, 2020
Enhancements Playbook

Important Milestones Enhancements Freeze All enhancements that want to be in the release cycle need to Have their KEP merged in an implementable state KEP must have test plans KEP must have graduation criteria Code Freeze All the enhancements collected after the Enhancements Freeze need to have their code and test PR&apos;s merged by this date.

May 15, 2020
Read more from Nabarun Pal
Published on HackMD