In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
- Ubuntu System
3. Admission controllers in Kubernetes
3.1 What is admission control?
Admission control in kubernetes is responsible for more fine-grained control after authentication and authorization , such as namespace check, mirror check, etc.
There are two types of admission controllers in kubernetes:
- Mutating controller: it may modify the request
- Validating controller: it validates the request
Just as this picture shows, the mutating controller should be put ahead of the validating controller, otherwise, if the validating is ahead of the mutating and the request is not valid, then the mutating controller would not be called.
3.2 How to check what admission controllers are enabled in api server?
We can check the enabled admission controllers as follows:
[email protected]:/etc/kubernetes/manifests# k exec kube-apiserver-controlplane -n kube-system -- kube-apiserver -h | grep enable-admission-plugins --enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
3.3 How to enable specific admission controller in kubernetes?
We can enable specific admission controller in kubernetes as follows:
In /etc/kubernetes/manifests/kube-apiserver.yaml, append these options of kube-apiserver:
# Enable —- enable-admission-plugins=NodeRestriction,NamespaceAutoProvision # Disable —- disable-admission-plugins=DefaultStorageClass
In this post, I write some examples about admission control in kubernetes.