Admission Controllers in Kubernetes serve as a critical checkpoint in the API server to enforce security, resource management, and operational policies. Without proper configuration or if key Admission Controllers are disabled, clusters face several risks:
Outdated or Insecure Images: If the AlwaysPullImages controller is not enabled, nodes might use outdated or potentially insecure images that are cached locally, leading to vulnerabilities and security risks.
Security Violations in Pods: Without the PodSecurityPolicy controller, pods may be scheduled with elevated privileges or other insecure configurations (e.g., running as root or using privileged containers), which can lead to unauthorized access or escalation of privileges.
Resource Exhaustion: Not enforcing ResourceQuota can result in unchecked resource consumption within namespaces, leading to resource exhaustion, degraded performance, or denial of service (DoS) conditions.
Namespace Misconfigurations: Without the NamespaceExists controller, resources could be created in non-existent or incorrect namespaces, leading to operational chaos, potential security gaps, and misconfigurations.
To mitigate these risks, it is crucial to configure and enable key Admission Controllers in the Kubernetes API server.
