Many software developers use Kubernetes to develop, scale, deploy, and manage containerized applications because of its many valuable features and components. One of these components is the Kubernetes admission controller , which this article will discuss.
Admission controllers enforce predefined policies and decide whether or not to admit requests made to a Kubernetes cluster. Once the cluster receives a request, an admission controller intercepts and processes it. This request can be to create, delete, or update a Kubernetes resource. When the admission controller intercepts the request, it will evaluate it, modify it if necessary, and decide whether it should be admitted.
Uses of Kubernetes Admission Controllers
This section will discuss the primary uses of admission controllers, their benefits, and specific examples.
- Enhancing security
They prevent unauthorized access to clusters and block the deployment of malicious resources. For example, the PodSecurityPolicy admission controller stops users from activating potentially unsafe settings or using privileged containers. The NamespaceLifecycle admission controller also allows only authorized users to create isolated namespaces in a cluster.
- Dictating cluster behavior
Kubernetes has a default set of admission controllers. However, users can create controllers and integrate them with the platform to suit their needs. This customizability allows companies to tailor Kubernetes clusters to their internal compliance standards. Companies can also integrate them with third-party services to gain greater admission controls.
- Enforcing policies
Organizations can use the admission controllers in a Kubernetes cluster to uphold their policies and regulations. This proves beneficial for companies that have developers collaborating on different projects within the cluster.
How Kubernetes Admission Controllers Work
The admission controllers work through the following steps:
Firstly, a user or software program will submit a request to create, delete, or modify a Kubernetes resource. This admission request will be directed to the Kubernetes API server.
Admission control flow
Once the API server receives the request, it will forward it to the appropriate admission controllers for them to handle it. The admission controllers already have predefined rules they will use for this process.
The admission controller will evaluate the admission requests according to predefined rules. The evaluating controllers can either be the default or custom ones created by an organization.
The admission controller will either admit or reject the request, depending on the result of their evaluation.
Sometimes, a mutating admission controller will modify a request based on predetermined criteria.
Generation of response
Following the decision, the admission controller will generate a response explaining the decision to the user.
This occurs whenever multiple admission controllers evaluate a request. All the responses will be aggregated, and if one controller rejects a request, the system will outright deny it.
Response to client
The admission controllers will send the aggregate response to the API server, which will forward it to the user or software program that initiated the request. If the request is rejected, the client will get an error message.
Persisting to etcd
If all the admission controllers approve the request, the API server will persist the resource configuration to the etcd database.
Admission controllers are essential to the management and control of Kubernetes clusters. This is because they allow companies to host their containerized applications in a secure and compliant environment.