Introduction
In this post, we will be learning about one of the important concepts of Kubernetes, the “Admission Controllers”.
What are “Admission Controllers” in Kubernetes?
👉 An admission controller is a piece of code that intercepts and processes requests to the Kubernetes API server prior to persistence of the object, but only after the request is authenticated and authorized.
👉 Admission controllers limit requests to create, delete, modify objects. Admission controllers do not (and cannot) block requests to read (get, watch or list) objects.
👉 There are a few admission controllers are precompiled into “kube-apiserver” (Kubernetes version 1.27) which can be configured by cluster administrator:
🔹 CertificateApproval
🔹 CertificateSigning
🔹 CertificateSubjectRestriction
🔹 DefaultIngressClass
🔹 DefaultStorageClass
🔹 DefaultTolerationSeconds
🔹 LimitRanger
🔹 MutatingAdmissionWebhook
🔹 NamespaceLifecycle
🔹 PersistentVolumeClaimResize
🔹 PodSecurity
🔹 Priority
🔹 ResourceQuota
🔹 RuntimeClass
🔹 ServiceAccount
🔹 StorageObjectInUseProtection
🔹 TaintNodesByCondition
🔹 ValidatingAdmissionPolicy
🔹 ValidatingAdmissionWebhook
Types of Admission Controllers
1️⃣ Validating admission controllers
👉 These controllers validates the API object to make sure all conditions are met for that object.
👉 If all conditions are met then the object gets the permission to pass and finally persists to etcd.
2️⃣ Mutating admission controllers
👉 These controllers may modify related objects to the requests they admit.
3️⃣ Mutating + Validating admission controllers
👉 These controllers are responsible for both: mutation and validation.
👉 These types of controllers mutates objects, and then validates it, if needed.
Admission Control phases
👉 The admission control process proceeds in two phases:
1️⃣ Mutating admission controllers runs in the first phase.
2️⃣ And validating admission controllers runs in the second phase.
References
🔗 Kubernetes reference
🔗 A Guide to Kubernetes Admission Controllers
