Security - Admission Controllers

Question 1

Where does the certificate lie that is used per default by kubectl?

Answer 1

root/.kube/config

Question 2

What can you do, if you want for example only permit images from certain images or not permit runAs root user?

Answer 2

You use Admission Controller for that.

Enforce how a Cluster is used

Question 3

What can an Admission Controller do?

Answer 3

• validate configuration
• change request
• perform additional operations before pod is created
• lot more

Question 4

Name a few by default enabled Admission Controllers

Answer 4

• AlwaysPullImages
• DefaultStorageClass
• EventRateLimit
• NamespaceExists
• many more

Question 5

How can you see all pre-enabled admission controllers?

Answer 5

Ps -ef | grep kube-apiserver

Question 6

How do you add an Admission Controller?

Answer 6

kube-apiserver.yaml
add Flag
–enable-admission-plugings=…

Question 7

How do you disable an Admission Controller?

Answer 7

add flag to kube-apiserver service/yaml:

–disable-admission-plugins=…

Question 8

How do you apply changes to the kube-apiserver?

Answer 8

Change the yaml under /etc/kubernetes/manifest/kube-apiserver.yaml

Question 9

What kind of Admission Controllers exist?

Answer 9

• Validating Admission Controller
• Mutating Admission Controller
• some can do both

Question 10

In what sequence are Admission Controllers invoked?

Answer 10

• first Mutating ACs
• then Validating ACs

Question 11

What Admission Controllers are the basis for your own?

Answer 11

• MutatingAdmissionWebhook
• ValidatingAdmissionWebhook

Question 12

How do Mutating/Validating AdmissionWebhooks work?

Answer 12

• we have our own Admission Webhook server (externally or in the cluster)
• has our own AdmissionWebhook service running
• after a request goes through all other ACs it hits the AdmissionWebhook Controllers
• then makes a call to the webhook service, using a AdmissionReview-Object, and gets a answer in form of AdmissionReview-object with ‘allowed’ value

Question 13

How does a Admission Webhook configuration look like?

Answer 13

yaml:
~~~
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: “pod-policy.example.com”
webhooks:
- name: “pod-policy.example.com”
clientConfig: (location of our client webhook server)
url: “…..” (if deployed external of cluster9
service:
namespace: “webhook-namespace”
name: “webhook-service”
caBundle: “Ci0..”
rules: (only call the service, when the following is happening)
- apiGroups: [””]
apiVersions: [“v1”]
operations: [“CREATE”]
resources: [“pods”]
scope: “Namespaced”
~~~

Question 14

With what command can you see with grep more than one line?

Answer 14

grep -A2 security
-> two lines after where first found security