Risks

Admission Controllers in Kubernetes play a crucial role in validating and modifying requests to the API server before they are persisted. These controllers operate after authentication and authorization, ensuring that the requests adhere to the required policies and constraints. Proper configuration of Admission Controllers is essential for leveraging advanced Kubernetes features and maintaining a secure and well-regulated cluster.

The Role of Admission Controllers

Admission Controllers intercept requests to the Kubernetes API server, providing a final checkpoint to enforce policies and constraints. They help ensure that the cluster operates according to the desired security, resource management, and operational policies.

Key Admission Controllers and Their Functions

1. AlwaysPullImages

   • Function: Ensures that each pod always pulls images before starting, regardless of the pod’s specified image pull policy.
   • Benefit: Prevents the use of potentially outdated or insecure images that might be present on a node. Enforces the use of the latest image versions from trusted registries.

2. PodSecurityPolicy

   • Function: Validates the security context of pods against the PodSecurityPolicies defined in the cluster. Determines if a pod can be scheduled based on security criteria.
   • Benefit: Enhances cluster security by ensuring that pods comply with defined security policies, such as disallowing privileged containers or enforcing specific capabilities.

3. ResourceQuota

   • Function: Enforces resource quotas within namespaces, ensuring that resource usage does not exceed defined limits.
   • Benefit: Prevents resource exhaustion by limiting the amount of resources (CPU, memory, storage) that a namespace can consume. Helps in managing resource allocation and preventing denial-of-service attacks.

4. NamespaceExists

   • Function: Ensures that resources are created only in existing namespaces.
   • Benefit: Prevents the creation of resources in non-existent namespaces, thereby maintaining namespace integrity and avoiding potential misconfigurations.

Default Admission Controllers in Kubernetes (1.18+)

By default, Kubernetes enables several Admission Controllers to ensure basic security and operational policies. These include:

• NamespaceLifecycle
• LimitRanger
• ServiceAccount
• TaintNodesByCondition
• Priority
• DefaultTolerationSeconds
• DefaultStorageClass
• StorageObjectInUseProtection
• PersistentVolumeClaimResize
• RuntimeClass
• CertificateApproval
• CertificateSigning
• CertificateSubjectRestriction
• DefaultIngressClass
• MutatingAdmissionWebhook
• ValidatingAdmissionWebhook
• ResourceQuota

Recommended Admission Controllers

In addition to the default controllers, it is recommended to enable the following plugins for enhanced security and resource management:

• PodSecurityPolicy: Enforces security policies on pods.
• NamespaceExists: Ensures resources are created in valid namespaces.
• AlwaysPullImages: Forces image pulls for every pod start.
• ResourceQuota: Enforces resource usage limits.

Enabling Admission Controllers

Admission Controllers can be enabled and configured in the API server using the --admission-control flag. 

Conclusion

Admission Controllers are essential for enforcing policies and ensuring the security and efficiency of a Kubernetes cluster. By properly configuring and enabling the necessary Admission Controllers, you can maintain a well-regulated and secure environment. Regularly review and update the Admission Controllers in use to adapt to evolving security and operational needs. Implementing these best practices helps ensure that your Kubernetes API server operates with the necessary constraints and protections in place.