Kubernetes Admission Controllers
Kubernetes admission controllers are a critical component of the Kubernetes API server. They are responsible for enforcing various policies on the resources being created or modified in the cluster. An admission controller intercepts a request to create or modify a resource in the cluster and either accepts or rejects the request based on the policies it implements.
Annotations are metadata associated with a Kubernetes resource. They can be used to provide additional information about a resource, such as its purpose, ownership, or any other relevant information.
In this tutorial, we’ll cover the following topics:
- Understanding admission controllers in Kubernetes
- Configuring admission controllers in a cluster
- Using annotations in Kubernetes
Understanding admission controllers in Kubernetes
Admission controllers in Kubernetes are implemented as plugins that run as part of the Kubernetes API server. They are responsible for enforcing various policies on the resources being created or modified in the cluster. Some of the common admission controllers are:
NamespaceLifecycle: Ensures that resources are created in the correct namespace and prevents deletion of critical namespaces. LimitRanger: Implements resource quotas and limits on the resources in the cluster. ResourceQuota: Implements resource quotas on the resources in the cluster. PodSecurityPolicy: Implements security policies for pods in the cluster. Admission controllers are applied in a specific order, and each admission controller can either accept or reject the request. If an admission controller rejects the request, the API server returns an error to the client.
Configuring admission controllers in a cluster
The admission controllers in a Kubernetes cluster are configured in the —admission-control flag of the API server. The admission controllers are specified as a comma-separated list of plugins, and the order in which the plugins are specified determines the order in which the policies are applied.
Here’s an example of how to configure admission controllers in a cluster:
--admission-control=NamespaceLifecycle,LimitRanger,ResourceQuota,PodSecurityPolicy
In this example, the admission controllers are applied in the order NamespaceLifecycle, LimitRanger, ResourceQuota, and PodSecurityPolicy.
Using annotations in Kubernetes
Annotations in Kubernetes are metadata associated with a resource that can be used to provide additional information about the resource. They are stored in the metadata.annotations field of a resource and can be used to store information such as the purpose of the resource, its ownership, or any other relevant information.
Here’s an example of how to add annotations to a pod in Kubernetes:
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
purpose: testing
owner: john
spec:
containers:
- name: mycontainer
image: busybox
command: ['sleep', '3600']
In this example, we’ve added two annotations purpose and owner to the pod mypod. These annotations can be retrieved using the kubectl get command:
kubectl get pod mypod -o yaml
This should output the pod with the annotations:
apiVersion: v1
kind: Pod
metadata:
annotations:
owner: john
purpose: testing