Admission Policies
Definition
Admission policies are security controls used in container orchestration platforms like Kubernetes to enforce rules on incoming requests to the cluster. These policies determine whether requests to create or modify resources are allowed based on predefined criteria, such as resource limits, security contexts, or compliance with organizational standards. By implementing admission policies, organizations can ensure that only compliant and secure configurations are deployed within their environments.
Secure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: pod-security-policy
webhooks:
- name: validate-pod-security.example.com
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apps", ""]
apiVersions: ["v1"]
resources: ["pods"]
clientConfig:
service:
name: pod-security-webhook
namespace: kube-system
path: "/validate"
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 5
Insecure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: insecure-policy
webhooks:
- name: allow-all.example.com
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]
clientConfig:
service:
name: allow-all-webhook
namespace: default
path: "/allow"
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 30