Here is the official documentation of this feature.
The admission Controller is a validation you can add to objects before they are applied to the cluster. It's kind of a before-insert trigger in a table if you wish. This is done right after Authentication and Authorization and allows you to apply policies that would prevent certain misconfigurations/undesired states.
There are already some in place but you can also create your own.
I would like to create an Admission Controller that would prevent the creation of deployments with only one replica. This is to make sure that for every deployment in a given namespace, there would be at least two copies of the application. That policy would be activated in a namespace by setting a label (a very common pattern in k8s).
Here are the steps to accomplish this:
- 1. Create SSL Certificates for CA and App
- 2. Create an application with the Admission Logic
- 3. Build the application as a container image
- 4. Deploy the application to Kubernetes
- 5. Create a Service in Kubernetes to expose this deployment
- 6. Create an Admissionregistration object that calls this Service for the right API action and Labeled Namespace
- 7. Test the admission controller
Code and docs heavily inspired by grumpy
Some differences:
- Using
k8s.io/api/admission/v1instead ofk8s.io/api/admission/v1beta - Validating
apps/v1/deploymentsinstead ofv1/pods - Added
namespaceSelectorinValidatingWebhookConfigurationobject to control activation of admission controller in a given namespace - Added a Troubleshooting section to show what went wrong during testing