Introduction
Kubernetes Admission Controllers are pivotal in the Kubernetes API server pipeline, playing a crucial role in governing and regulating the objects being created, modified, or deleted. These controllers act as gatekeepers, enforcing policies and ensuring that the cluster's state is consistent and secure. This guide explores the functionality of Admission Controllers, their importance, and how you can set up a basic one for your cluster.
What are Kubernetes Admission Controllers?
Admission Controllers are plugins that intercept requests to the Kubernetes API server before the persistence of the object but after the request is authenticated and authorized. They can mutate (modify) or validate requests, offering a powerful mechanism to introduce custom logic and enforce policies across all Kubernetes resources.
Types of Admission Controllers
- Validating Admission Webhooks: These inspect the requests and determine whether they should be allowed based on specific criteria.
- Mutating Admission Webhooks: They can modify requests (e.g., adding labels or annotations) before they are processed by the validating webhooks.
Why Use Admission Controllers?
Admission Controllers enable:
- Security Enhancements: Enforcing best practices and security policies, like preventing privileged containers.
- Resource Management: Ensuring that resources request limits or namespaces follow specific rules.
- Compliance and Governance: Applying organizational policies and compliance requirements automatically.
Setting Up a Kubernetes Admission Controller
Let’s set up a simple Validating Admission Webhook to understand the process. We’ll create a webhook to validate Pods, ensuring they have a specific label before being admitted to the cluster.
Step 1: Deploy a Webhook Server
First, you need a server that Kubernetes can call to validate objects. For this example, let’s assume you have a server running with an endpoint /validate that validates if incoming Pods have the label secure: "true".
Step 2: Create a TLS Certificate
Admission Webhooks require HTTPS endpoints with a valid TLS certificate signed by a CA that the Kubernetes API server trusts.
# Generate a self-signed certificate and key
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout tls.key -out tls.crt -subj "/CN=admission-controller.default.svc"
Step 3: Create a Kubernetes Secret
Store the generated certificate and key as a secret in your Kubernetes cluster.
apiVersion: v1
kind: Secret
metadata:
name: admission-tls
namespace: default
data:
tls.crt: $(base64 -w0 < tls.crt)
tls.key: $(base64 -w0 < tls.key)
Step 4: Register the Admission Webhook
Define a ValidatingWebhookConfiguration that points to your webhook server.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: example-validating-webhook
webhooks:
- name: example.validator.local
clientConfig:
service:
name: admission-controller
namespace: default
path: "/validate"
caBundle: $(cat tls.crt | base64 | tr -d '\n')
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1"]
sideEffects: None
Replace caBundle with the base64 encoded content of your tls.crt.
Step 5: Testing the Admission Controller
Deploy a Pod to your cluster and observe if it gets admitted based on the presence of the secure: "true" label.
apiVersion: v1
kind: Pod
metadata:
name: test-pod
labels:
secure: "true"
spec:
containers:
- name: nginx
image: nginx:1.14.2
Conclusion
Kubernetes Admission Controllers are a powerful feature for enhancing cluster security, enforcing policies, and ensuring compliance across all Kubernetes resources. By setting up your Admission Controller, you can take control of what gets deployed in your cluster, making your infrastructure more secure and reliable. Dive deeper into specific controllers and explore how they can help meet your organizational needs.
Top comments (0)