bitPhile

Admission Controller

2 min read

Admission Controllers

Admission controllers are middleware that intercepts the requests before persisting of the resources, post the authentication and authorization of the request. Following shows the flow with admission controller in the picture.

                request (kubectl/api)
                        |
                        v
                  authentication
                        |
                        v
                  authorization
                        |
                        v
                admission controller
                        |
                        v
                     resource

For instance, NamespaceExists admission controller looks for requests targeting resource creation in non-existing namespaces. It stop those requests and gives appropriate error response.

NamespaceAutoProvision admission controller on other hand creates the non-existing namespace.

Default Admission Controllers

We can list admission controller enabled on kube-apiserver enabled by default, by using following command,

k exec -n kube-system kube-apiserver -- \
    kube-apiserver -h | grep enable-admission-plugins

Following are the list default enabled admission controllers, taken from above command,

(NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, ClusterTrustBundleAttest, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionPolicy, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota)

Enable and Disable Admission controllers

We can provide list of admission controllers to enable while start kube-apiserver using flag --enable-admission-plugins

kube-apiserver
    --advertise-address=192.168.193.131
    --allow-privileged=true
    --authorization-mode=Node,RBAC
    --client-ca-file=/etc/kubernetes/pki/ca.crt
    --enable-admission-plugins=NamespaceAutoProvision
    <...hidden>

Whilst, we can disable admission plugins while starting kube-apiserver using flag --disable-admission-plugins.

kube-apiserver
    --advertise-address=192.168.193.131
    --allow-privileged=true
    --authorization-mode=Node,RBAC
    --client-ca-file=/etc/kubernetes/pki/ca.crt
    --enable-admission-plugins=NamespaceAutoProvision
    --disable-admission-plugins=DefaultStorageClass
    <...hidden>

Note

Admission controllers NamespaceExists and NamespaceAutoProvision are deprecated and being replaced by NamespaceLifeycle which restricts creation of resources in non-existing namespace and deletion of default, kube-system and kube-public namespaces.

Tip

DefaultStorageClass admission controller observes PersistentVolumeClaims with no StorageClass specified and adds a default storage class to them.

References

  1. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Graph View

Backlinks