Admission Control

Kubernetes Webhooks

Joe Searcy

Principal Architect, Systems Design

T-Mobile

What is an Admission Controller?

a piece of code that intercepts requests to the Kubernetes API server after authentication/authorization and before persistence of the object

Plugin Admission Controllers

NamespaceLifecycle

LimitRanger

ServiceAccount

DefaultStorageClass

DefaultTolerationSeconds

ResourceQuota

Dynamic Admission Controllers

VALIDATING

MUTATING

Enforce Custom Policy

Enforce Custom Defaults

Prerequisites

  • Kubernetes cluster is at least v1.9+

  • MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers are enabled. Here is a recommended set of admission controllers to enable in general.

  • Ensure that the admissionregistration.k8s.io/v1beta1 API is enabled.

 

Webhook Components

Service

Server

Webhook Config

API Server

DEMO

Image Swap Mutating Admission Webhook for Kubernetes

https://github.com/phenixblue/imageswap-webhook

Q&A