K8S Admission Controller
Function of Admission controller:-
- Help us implement better security measures.
- Perform additional operations before the pods gets created.
- Validate configuration.
Admission controllers limit requests to create, delete, modify or connect to (proxy). They do not support read requests.
How do I turn on an admission controller?
The Kubernetes API server flag enable-admission-plugins takes a comma-delimited list of admission control plugins to invoke prior to modifying objects in the cluster. For example, the following command line enables the NamespaceLifecycle and the LimitRanger admission control plugins:
kube-apiserver --enable-admission-plugins=NamespaceLifecycle,LimitRanger ...Kubernetes recommends the following admission controllers to be enabled by default.
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,Priority,ResourceQuota,PodSecurityPolicy
There are 2 types of Admission controllers:
Validating and Mutating Admission Controllers.
Imp Notes:
Note that the NamespaceExists and NamespaceAutoProvision admission controllers are deprecated and now replaced by Namespace Lifecycle admission controller. The NamespaceLifecycle admission controller will make sure that requests to a non-existent namespace is rejected and that the default namespaces such as default, kube-system and kube-public cannot be deleted
