Authentication & Authorization Admission Controllers
- Overcomes RBAC drawbacks
- There a few which are enabled by default eg. namespace exists
- Flow: authenticate > authorize > admission controllers
- Validating Adm controllers : validate requests and allow/deny it
- Mutating Adm Controller : mutates the requests
- Mutating are run first so that they are validated by the validating adm controller
- Webhooks are custom Admission Controllers
- deploy webhook server
- host it
- create validating webhook configuration
Commands:
-
kube-apiserver -h | grep enable-admission-plugins
-
kube-apiserver --enable-admission-plugins=NamespaceLifecycle,LimitRanger
-
vi /etc/kubernetes/manifests/kube-apiserver.yaml
-
kubectl create secret tls --help
-
k apply -f webhook-deployment.yaml
-
k apply -f webhook-service.yaml
-
k apply -f webhook-configuration.yaml
Links :