others-prepare for cks exam with me 9: Admission controllers in Kubernetes

1. Purpose

In this post, I would continue to write about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.

List of the series of posts:

-prepare for cks exam with me 1: Linux user and group management

-prepare for cks exam with me 2: Linux ssh hardening

-prepare for cks exam with me 3: Linux remove obsolete packages and services

-prepare for cks exam with me 4: Linux kernal hardening

-prepare for cks exam with me 5: Linux UFW(Uncomplicated firewall)

-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes

-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes

-prepare for cks exam with me 8: Security context in Kubernetes

-prepare for cks exam with me 9: Admission controllers in Kubernetes

-prepare for cks exam with me 10: Pod security policy in Kubernetes

-prepare for cks exam with me 11: Open policy agent in Kubernetes

-prepare for cks exam with me 12: Secrets in Kubernetes

-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes

-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes

-prepare for cks exam with me 15: How to print docker images of all pods in kubernetes

2. Environment

  • CKS
  • Ubuntu System

3. Admission controllers in Kubernetes

3.1 What is admission control?

Admission control in kubernetes is responsible for more fine-grained control after authentication and authorization , such as namespace check, mirror check, etc.

image-20210530144442575

There are two types of admission controllers in kubernetes:

  • Mutating controller: it may modify the request
  • Validating controller: it validates the request

Just as this picture shows, the mutating controller should be put ahead of the validating controller, otherwise, if the validating is ahead of the mutating and the request is not valid, then the mutating controller would not be called.

image-20210530144743642

3.2 How to check what admission controllers are enabled in api server?

We can check the enabled admission controllers as follows:

root@controlplane:/etc/kubernetes/manifests# k exec kube-apiserver-controlplane -n kube-system -- kube-apiserver -h | grep enable-admission-plugins 

      --enable-admission-plugins strings       admission plugins that should be enabled in addition to default enabled ones
      (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota).
      Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. 
      The order of plugins in this flag does not matter.

3.3 How to enable specific admission controller in kubernetes?

We can enable specific admission controller in kubernetes as follows:

In /etc/kubernetes/manifests/kube-apiserver.yaml, append these options of kube-apiserver:

# Enable
—- enable-admission-plugins=NodeRestriction,NamespaceAutoProvision

# Disable
—- disable-admission-plugins=DefaultStorageClass

4. Summary

In this post, I write some examples about admission control in kubernetes.