Mastering Kubernetes Admission Controllers: Setup and Use Cases

marocz

marocz

Posted on April 7, 2024

Mastering Kubernetes Admission Controllers: Setup and Use Cases

Introduction

Kubernetes Admission Controllers are pivotal in the Kubernetes API server pipeline, playing a crucial role in governing and regulating the objects being created, modified, or deleted. These controllers act as gatekeepers, enforcing policies and ensuring that the cluster's state is consistent and secure. This guide explores the functionality of Admission Controllers, their importance, and how you can set up a basic one for your cluster.

What are Kubernetes Admission Controllers?

Admission Controllers are plugins that intercept requests to the Kubernetes API server before the persistence of the object but after the request is authenticated and authorized. They can mutate (modify) or validate requests, offering a powerful mechanism to introduce custom logic and enforce policies across all Kubernetes resources.

Image description

Types of Admission Controllers

  • Validating Admission Webhooks: These inspect the requests and determine whether they should be allowed based on specific criteria.
  • Mutating Admission Webhooks: They can modify requests (e.g., adding labels or annotations) before they are processed by the validating webhooks.

Why Use Admission Controllers?

Admission Controllers enable:

  • Security Enhancements: Enforcing best practices and security policies, like preventing privileged containers.
  • Resource Management: Ensuring that resources request limits or namespaces follow specific rules.
  • Compliance and Governance: Applying organizational policies and compliance requirements automatically.

Setting Up a Kubernetes Admission Controller

Let’s set up a simple Validating Admission Webhook to understand the process. We’ll create a webhook to validate Pods, ensuring they have a specific label before being admitted to the cluster.

Step 1: Deploy a Webhook Server

First, you need a server that Kubernetes can call to validate objects. For this example, let’s assume you have a server running with an endpoint /validate that validates if incoming Pods have the label secure: "true".

Step 2: Create a TLS Certificate

Admission Webhooks require HTTPS endpoints with a valid TLS certificate signed by a CA that the Kubernetes API server trusts.

# Generate a self-signed certificate and key
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout tls.key -out tls.crt -subj "/CN=admission-controller.default.svc"
Enter fullscreen mode Exit fullscreen mode

Step 3: Create a Kubernetes Secret

Store the generated certificate and key as a secret in your Kubernetes cluster.

apiVersion: v1
kind: Secret
metadata:
  name: admission-tls
  namespace: default
data:
  tls.crt: $(base64 -w0 < tls.crt)
  tls.key: $(base64 -w0 < tls.key)
Enter fullscreen mode Exit fullscreen mode

Step 4: Register the Admission Webhook

Define a ValidatingWebhookConfiguration that points to your webhook server.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: example-validating-webhook
webhooks:
  - name: example.validator.local
    clientConfig:
      service:
        name: admission-controller
        namespace: default
        path: "/validate"
      caBundle: $(cat tls.crt | base64 | tr -d '\n')
    rules:
      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    admissionReviewVersions: ["v1"]
    sideEffects: None
Enter fullscreen mode Exit fullscreen mode

Replace caBundle with the base64 encoded content of your tls.crt.

Step 5: Testing the Admission Controller

Deploy a Pod to your cluster and observe if it gets admitted based on the presence of the secure: "true" label.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  labels:
    secure: "true"
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
Enter fullscreen mode Exit fullscreen mode

Conclusion

Kubernetes Admission Controllers are a powerful feature for enhancing cluster security, enforcing policies, and ensuring compliance across all Kubernetes resources. By setting up your Admission Controller, you can take control of what gets deployed in your cluster, making your infrastructure more secure and reliable. Dive deeper into specific controllers and explore how they can help meet your organizational needs.

💖 💪 🙅 🚩
marocz
marocz

Posted on April 7, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related