Kubernetes Admission Controllers

What Are Kubernetes Admission Controllers?

Admission controllers are essential components within the Kubernetes API server that act as gatekeepers for incoming requests to create, modify, or delete resources in the cluster. They intercept requests after authentication and authorization but before the requested object is persisted in the Kubernetes datastore.

How Admission Controllers Work

Admission controllers operate in two main phases:

Mutating Admission Controllers: These can modify or "mutate" the object in the request before it is stored. For example, they can inject sidecar containers, add default resource limits, or set labels automatically.

Validating Admission Controllers: These check if the request complies with cluster policies and reject non-compliant requests. They do not modify objects but ensure only valid configurations are applied.

The process is sequential: all mutating controllers run first, followed by all validating controllers. If any controller rejects the request, the entire operation is aborted.

Types of Admission Controllers

Built-in (Static) Controllers: Shipped with Kubernetes, these cover common needs like enforcing resource quotas, namespace lifecycle management, and pod security policies. Examples include ResourceQuota, NamespaceLifecycle, and LimitRanger.

Dynamic Admission Controllers: Enabled via webhooks, these allow custom logic to be injected into the admission process. The main types are:

MutatingAdmissionWebhook: Executes custom mutation logic via HTTP callbacks.

ValidatingAdmissionWebhook: Executes custom validation logic via HTTP callbacks.

ValidatingAdmissionPolicy: Provides declarative validation without external callouts, embedded directly in the API.

Why Use Admission Controllers?

Admission controllers are crucial for:

Security: Enforcing pod security standards, blocking vulnerable images, and preventing unauthorized actions.

Compliance: Ensuring all resources meet organizational or regulatory policies (e.g., required labels, resource limits).

Resource Management: Managing quotas and preventing resource exhaustion.

Customization: Extending Kubernetes with bespoke logic tailored to your environment.

Example Use Cases

Enforcing Resource Limits: The LimitRanger controller ensures pods do not exceed specified resource quotas and can set default values for pods that omit them.

Image Scanning: Custom webhooks can reject deployments that use images from untrusted repositories or with known vulnerabilities.

Label Enforcement: Policies can require certain labels on all resources for better organization and automation.

How to Enable and Configure

Admission controllers are enabled and configured by cluster administrators using flags such as --enable-admission-plugins and --admission-control-config-file in the kube-apiserver binary.

By leveraging Kubernetes admission controllers, you can significantly enhance your cluster’s security, compliance, and operational efficiency, making them a cornerstone of Kubernetes administration.