• Admission Controllers validate or modify the incoming request before executing them. Many admission controllers are pre-built in the k8s cluster and are enabled by default.
• Example usage:
  • Validating the request (Validating Admission Controllers)
  • Modifying the request (Mutating Admission Controllers)
  • Performing actions in the backend
• Mutating Admission Controllers are invoked before Validating Admission Controllers so that any change made by the Mutating Admission Controllers are also validated at the end.

Validating Admission Controller

NamespaceExists admission controller rejects a request to create a resource in a namespace that doesn’t exist. This way, it validates the request.

Mutating Admission Controller

NamespaceAutoProvision is another admission controller which is not enabled by default. It creates the namespace automatically if a request is made to create a resource in that namespace.

DefaultStorageClass admission controller observes the creation of PVC objects that do not request any specific storage class and automatically adds a default storage class to them. This way it modifies the request.

Note: NamespaceExists and NamespaceAutoProvision admission controllers have now been deprecated and replaced with NamespaceLifecycle admission controller. It makes sure that requests to a non-existent namespace is rejected and that the default namespaces such as default, kube-system and kube-public cannot be deleted.

Commands

• View enabled admission controllers:

  cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep enable-admission-plugins

  or

  kube-apiserver -h | grep enable-admission-plugins

  

• Enable/Disable admission controllers:

  Left side is the setup where Kube ApiServer is run as a service and on the right is in the case of a kubeadm setup where Kube ApiServer is run as a pod. Add the admission controllers as comma separated values.

  To disable admission controllers, use --disable-admission-plugins flag in the same way.