Admission Controller
Definition
An Admission Controller is a Kubernetes component that intercepts requests to the Kubernetes API server prior to the persistence of the object, but after the request is authenticated and authorized. It can be used to enforce custom policies, validate resource configurations, and mutate requests to ensure compliance with organizational standards. Admission Controllers can either be validating, which reject requests that do not meet certain criteria, or mutating, which modify requests to conform to policies.
Secure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: example-validating-webhook
webhooks:
- name: validate.example.com
clientConfig:
service:
name: example-service
namespace: example-namespace
path: "/validate"
caBundle: <base64-encoded-ca-cert>
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 10
Insecure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: insecure-validating-webhook
webhooks:
- name: insecure.example.com
clientConfig:
service:
name: insecure-service
namespace: insecure-namespace
path: "/validate"
# Missing caBundle allows for potential MITM attacks
rules:
- operations: ["*"] # Overly permissive operations
apiGroups: ["*"] # Overly permissive API groups
apiVersions: ["*"] # Overly permissive API versions
resources: ["*"] # Overly permissive resources
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 30 # Excessive timeout can lead to delays