Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to obtain the enable admission controller list in kubernetes?

AFAIK, the admission controller is the last pass before the submission to the database.

However I cannot know which one is enabled, Is there a way to know which one is taking effect?

Thanks.

like image 624
Weiwei Jiang Avatar asked Jul 24 '18 03:07

Weiwei Jiang


People also ask

How do I enable admission controller?

The recommended admission controllers are enabled by default (shown here), so you do not need to explicitly specify them. You can enable additional admission controllers beyond the default set using the --enable-admission-plugins flag (order doesn't matter).

How do you list admission in webhook?

Webhook configuration. To register admission webhooks, create MutatingWebhookConfiguration or ValidatingWebhookConfiguration API objects. The name of a MutatingWebhookConfiguration or a ValidatingWebhookConfiguration object must be a valid DNS subdomain name. Each configuration can contain one or more webhooks.

What are the two phases in which the admission controllers are executed in the k8s API server?

The admission control process has two phases: the mutating phase is executed first, followed by the validating phase.

What is Admissionregistration k8s io?

MutatingWebhookConfiguration [admissionregistration.k8s.io/v1beta1] Description. MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.


2 Answers

The kube-apiserver is running in your kube-apiserver-< example.com > container. The application does not have a get method at the moment to obtain the enabled admission plugins, but you can get the startup parameters from its command line.

kubectl -n kube-system describe po kube-apiserver-example.com

Another way, to see what is in the container: unfortunately there is no "ps" command in the container, but you can get the initial process command parameters from /proc , something like that:

kubectl -n kube-system exec kube-apiserver-example.com -- sed 's/--/\n/g' /proc/1/cmdline

It will be probably like :

enable-admission-plugins=NodeRestriction

like image 107
user3527765 Avatar answered Oct 22 '22 14:10

user3527765


There isn't an admissionscontroller k8s object exposed directly in kubectl.

To get a list of admissions controllers, you have to hit the k8s master API directly with the right versions supported by your k8s installation:

kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq

For our environment, we run open policy agent as an admissions controller and we can see the webhook object here:

kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq '.items[] | select(.metadata.name=="open-policy-agent-latest-helm-opa")'

Which outputs the JSON object:

{
  "metadata": {
    "name": "open-policy-agent-latest-helm-opa",
    "selfLink": "/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/open-policy-agent-latest-helm-opa",
    "uid": "02139b9e-b282-4ef9-8017-d698bb13882c",
    "resourceVersion": "150373119",
    "generation": 93,
    "creationTimestamp": "2021-03-18T06:22:54Z",
    "labels": {
      "app": "open-policy-agent-latest-helm-opa",
      "app.kubernetes.io/managed-by": "Helm",
      "chart": "opa-1.14.6",
      "heritage": "Helm",
      "release": "open-policy-agent-latest-helm-opa"
    },
    "annotations": {
      "meta.helm.sh/release-name": "open-policy-agent-latest-helm-opa",
      "meta.helm.sh/release-namespace": "open-policy-agent-latest"
    },
    "managedFields": [
      {
        "manager": "Go-http-client",
        "operation": "Update",
        "apiVersion": "admissionregistration.k8s.io/v1beta1",
        "time": "2021-03-18T06:22:54Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:metadata": {
            "f:annotations": {
              ".": {},
              "f:meta.helm.sh/release-name": {},
              "f:meta.helm.sh/release-namespace": {}
            },
            "f:labels": {
              ".": {},
              "f:app": {},
              "f:app.kubernetes.io/managed-by": {},
              "f:chart": {},
              "f:heritage": {},
              "f:release": {}
            }
          },
          "f:webhooks": {
            ".": {},
            "k:{\"name\":\"webhook.openpolicyagent.org\"}": {
              ".": {},
              "f:admissionReviewVersions": {},
              "f:clientConfig": {
                ".": {},
                "f:caBundle": {},
                "f:service": {
                  ".": {},
                  "f:name": {},
                  "f:namespace": {},
                  "f:port": {}
                }
              },
              "f:failurePolicy": {},
              "f:matchPolicy": {},
              "f:name": {},
              "f:namespaceSelector": {
                ".": {},
                "f:matchExpressions": {}
              },
              "f:objectSelector": {},
              "f:rules": {},
              "f:sideEffects": {},
              "f:timeoutSeconds": {}
            }
          }
        }
      }
    ]
  },
  "webhooks": [
    {
      "name": "webhook.openpolicyagent.org",
      "clientConfig": {
        "service": {
          "namespace": "open-policy-agent-latest",
          "name": "open-policy-agent-latest-helm-opa",
          "port": 443
        },
        "caBundle": "LS0BLAH="
      },
      "rules": [
        {
          "operations": [
            "*"
          ],
          "apiGroups": [
            "*"
          ],
          "apiVersions": [
            "*"
          ],
          "resources": [
            "namespaces"
          ],
          "scope": "*"
        }
      ],
      "failurePolicy": "Ignore",
      "matchPolicy": "Exact",
      "namespaceSelector": {
        "matchExpressions": [
          {
            "key": "openpolicyagent.org/webhook",
            "operator": "NotIn",
            "values": [
              "ignore"
            ]
          }
        ]
      },
      "objectSelector": {},
      "sideEffects": "Unknown",
      "timeoutSeconds": 20,
      "admissionReviewVersions": [
        "v1beta1"
      ]
    }
  ]
}

You can see from above the clientConfig endpoint in k8s which is what the admissions payload is sent to. Tail the logs of the pods that serve that endpoint and you'll see your admissions requests being processed.

To get mutating webhooks, hit the version of the API of interest again:

# get v1 mutating webhook configurations
kubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq
like image 20
ted-k42 Avatar answered Oct 22 '22 13:10

ted-k42