What are Kubernetes admission controllers?
A Kubernetes admission controller is code designed to intercept requests heading to the Kubernetes API server prior to the persistence stage but following the request's authentication and authorization.
The primary function of admission controllers is the enforcement of custom policies on incoming requests, ensuring that only valid and compliant API requests are executed—which is crucial for maintaining a cluster's integrity and security posture.
This blog post provides a comprehensive guide that covers the types of Kubernetes admission controllers along with their operation, significance, and integration into Kubernetes clusters. Stay tuned as we explore this critical component for managing access, strengthening security, and optimizing the performance of Kubernetes clusters.
How admission controllers work
The admission control process is critical to Kubernetes' resource management and security enforcement mechanisms. As a sophisticated filter that processes incoming requests to the Kubernetes API server, admissions controllers evaluate compliance with the cluster's policies and configurations.
The admission control process
When an incoming request reaches the Kubernetes API server, it undergoes several processing stages. First, the request is authenticated and authorized, ensuring the requester has the necessary permissions. Once cleared, the request enters the admission control phase, where it encounters one or more admission controllers. These controllers enforce specific policies and rules, ranging from validating resource configurations to implementing security measures.
Admission controllers operate in two modes: validating and mutating. Validating admission controllers inspect the request object and verify its compliance with a cluster's policies, rejecting requests that fail to meet the criteria. On the other hand, mutating admission controllers can modify the request object—such as injecting sidecar containers or setting default values for unspecified fields—before it is validated and persisted in the cluster state. Additionally, some admission controllers are designed as all-in-one solutions, capable of both validating and mutating the request object.
Admission controller configurations
You can configure and use Kubernetes admission controllers in two main ways, each designed to address specific aspects of resource management, security, and administrative efficiency:
Built-in admission controllers: Kubernetes ships with a set of built-in admission controllers that can be turned on or off based on a cluster's requirements. These controllers cover various functionalities, from enforcing pod security policies to managing resource quotas and ensuring that all namespaced resources have the necessary labels.
Dynamic admission controllers: For scenarios where the built-in controllers are not sufficient, Kubernetes offers dynamic admission controllers, which are implemented through admission webhooks. These webhooks provide a mechanism for introducing custom logic into the admission control process, allowing cluster administrators to enforce custom policies tailored to their specific needs and security contexts.
Interaction with the Kubernetes API server
Seamless integration with the Kubernetes API server is at the heart of admission controllers’ effectiveness. As we’ve seen, through dynamic admission controllers paired with admission webhook mechanisms, administrators can extend the functionality of the admission control process beyond the built-in controllers.
The interaction between admission controllers and the Kubernetes API server is a testament to Kubernetes' extensible and modular design. This flexibility is crucial for adapting to the evolving security landscape and the diverse needs of different applications.
The importance of admission controllers
Admission controllers are not just a feature within Kubernetes; they are a cornerstone of cluster security and management. Because they play a crucial role in automating administrative tasks, enhancing security, and optimizing resource allocation, you can look to admission controllers for myriad benefits:
Enhanced Kubernetes security: Fortifying the security of Kubernetes clusters is one of the primary roles of admission controllers. They act as the first line of defense, scrutinizing incoming requests to ensure they comply with established security policies and standards. In other words, admission controllers facilitate a proactive approach to security that significantly reduces your attack surface and helps you maintain a strong security posture.
The prevention of unauthorized access and configurations: Admission controllers are instrumental in preventing unauthorized access and configurations that could potentially expose the cluster to security vulnerabilities. This level of control is essential for compliance with regulatory requirements and organizational security policies.
Streamlined cluster management: Beyond security, admission controllers contribute significantly to the streamlined management of Kubernetes clusters. They automate various administrative tasks, such as setting default resource requests and limits, applying labels and annotations, and enforcing naming conventions.
Kubernetes Security Best Practices [Cheat Sheet]
This 6 page cheat sheet goes beyond the basics and covers security best practices for Kubernetes pods, components, and network security.
Download Cheat Sheet
Webhooks in admission controllers
Above, we discussed how webhooks play a pivotal role in the Kubernetes admission control process, offering a dynamic and flexible mechanism for enforcing custom policies and extending the functionality of admission controllers. By integrating webhooks with admission controllers, Kubernetes clusters can achieve higher customization and security tailored to your organization's specific needs. Let’s take a closer look.
Understanding webhooks
A webhook is an HTTP-based callback function (a simple HTTP POST request triggered by a specific event). In the context of Kubernetes admission controllers, webhooks are used to communicate with external services that process admission requests. When a request is made to the Kubernetes API server, it can be forwarded to a webhook server, where custom logic is applied to the request. This allows for real-time decision-making based on the content of the request, enabling dynamic policy enforcement.
There are two types of admission webhooks:
Mutating admission webhooks are called before the validating phase, allowing them to modify or add to the request object. This capability is crucial for scenarios where default settings need to be applied or when specific adjustments to the request are necessary for compliance or policy reasons. The changes made by mutating webhooks are then passed on to the validating webhooks for further inspection.
Validating admission webhooks take over the requests after mutating admission webhooks to make sure that the request complies with the cluster's rules and policies. These webhooks can reject requests that fail to meet the specified criteria, committing only compliant and authorized changes to a cluster's state.
Simply put, webhooks are an essential component of the Kubernetes admission control ecosystem, providing the means to implement dynamic, custom policies that enhance the security, compliance, and operational efficiency of Kubernetes clusters.
Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover
Read more
Best practices for using admission controllers
To leverage the full potential of admission controllers, adopt these best practices:
1. Integrate with continuous integration/continuous deployment (CI/CD) pipelines
Integrating admission controllers into CI/CD pipelines ensures that only compliant and secure applications are deployed, reducing the risk of vulnerabilities. There are two primary ways to implement this integration effectively:
Automate policy checks
Incorporate admission controller checks into your CI/CD pipeline scripts. Use tools like kubeconform to validate Kubernetes YAML files against the cluster's admission controllers.
Enforce policies
Use a validating webhook to enforce custom policies during the CI/CD process. Ensure the webhook is configured to intercept relevant API requests and validate them against your policies.
The following Jenkins pipeline includes a deployment stage that first performs a dry run of the Kubernetes deployment to check against admission policies. If the dry run fails, the pipeline stops, preventing policy violations:
pipeline {
agent any
stages {
stage('Build') {
steps {
// Build steps here
}
}
stage('Test') {
steps {
// Test steps here
}
}
stage('Deploy') {
steps {
script {
def deployStatus = sh(script: "kubectl apply -f k8s-deployment.yaml --dry-run=server", returnStatus: true)
if (deployStatus != 0) {
error("Deployment failed due to admission policy violation.")
}
sh("kubectl apply -f k8s-deployment.yaml")
}
}
}
}
}CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response
Download Cheat Sheet
2. Ensure high availability and performance
The optimal performance and high availability of admission controllers prevent them from becoming bottlenecks or points of failure in your Kubernetes environment. Here’s how to make the most of your implementation:
Implement redundancy
Deploy multiple instances of your webhook servers behind a load balancer to ensure redundancy and high availability.
Monitor performance
Utilize monitoring tools like Prometheus and Grafana to track the performance of your admission controllers and webhook servers.
The following configuration sets up a mutating webhook that points to a service capable of load-balancing requests across multiple webhook server instances. This setup enhances high availability by ensuring that the load is balanced across multiple servers:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: example-mutating-webhook
webhooks:
- name: example.webhook.com
clientConfig:
service:
name: webhook-service
namespace: webhook-namespace
path: "/mutate"
caBundle: <CA_BUNDLE>
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions: ["v1", "v1beta1"]3. Regularly update and audit
Updating admission controllers and webhook servers protects you against known vulnerabilities and gives you access to the latest features. Here are the two critical steps to take:
Update regularly
Schedule regular updates for your admission controllers and webhook servers. Use Kubernetes rolling updates for minimal disruption.
Check audit logs
Review and audit your admission controller configurations and webhook policies regularly to make sure they align with current security standards and organizational policies.
The following CronJob is scheduled to run daily, analyzing Kubernetes audit logs to identify potential security issues or policy violations:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: audit-log-analysis
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: log-analyzer
image: log-analyzer:latest
env:
- name: LOG_PATH
value: "/var/log/kubernetes/audit.log"
volumeMounts:
- name: log-volume
mountPath: "/var/log/kubernetes"
restartPolicy: OnFailure
volumes:
- name: log-volume
hostPath:
path: "/var/log/kubernetes"4. Use monitoring and logging
Effective monitoring and logging are essential for tracking the activity of admission controllers, identifying issues, and maintaining compliance.
Implement logging for admission stages
Be sure your webhook servers log all admission decisions, including the rationale for rejections. Use a centralized logging solution like the ELK Stack (Elasticsearch, Logstash, Kibana, and Beats) or Grafana Loki to aggregate and analyze logs.
Set up monitoring and alerts
Use monitoring tools to create dashboards that track the performance and activity of your admission controllers and configure alerts for anomalies or operational issues.
The following Fluentd configuration snippet sets up log collection for a webhook server, forwarding the logs to an Elasticsearch cluster for centralized logging and analysis:
<source>
@type tail
path /var/log/webhook-server.log
pos_file /var/log/webhook-server.log.pos
tag webhook.logs
<parse>
@type json
</parse>
</source>
<match webhook.logs>
@type elasticsearch
host elasticsearch.logging
port 9200
logstash_format true
logstash_prefix webhook-logs
flush_interval 10s
</match>By following these best practices, you can leverage Kubernetes admission controllers effectively to enhance your clusters' security, compliance, and operational efficiency.
Shift left with Wiz guardrails
Wiz recently announced enhancements to the Kubernetes admission controller, introducing capabilities that significantly bolster Kubernetes security. These updates empower organizations to implement a shift-left strategy more effectively, ensuring security policies are enforced at the deployment stage. The new features include
Fine-grained Kubernetes admission control policies: Wiz allows for more targeted and precise control over Kubernetes admission policies. This means organizations can define specific security policies that block deployments that do not comply with their standards, such as preventing the use of highly privileged containers or restricting access to sensitive volumes.
A centralized view of Kubernetes admission review rates: With Wiz, teams gain insights into the admission review process, understanding which changes were attempted and why they failed. Our centralized dashboard helps identify compliance and security gaps in your deployments at a glance.
Enhanced event monitoring and custom policy creation: Wiz's admission controller now generates detailed event logs for every create, update, delete, and connect operation within a cluster. This feature enables the detection of abnormal behavior, such as attempts to delete critical resources, or just executing kubectl exec commands. Additionally, organizations can set up custom alerts based on the severity of these events, ensuring immediate response to critical issues.
The advancements in Wiz's admission controller capabilities mark a significant step forward in Kubernetes security, offering organizations the tools needed to enforce consistent security policies from development through to deployment. By integrating these controls into the CI/CD pipeline, developers and security teams can work together more effectively, reducing the risk of security breaches and compliance violations.
Interested in leveraging our new capabilities to enhance your Kubernetes security posture? Schedule a demo with Wiz today!
Empower your developers, from code to production
Learn why the fastest growing companies trust Wiz to secure Kubernetes from build-time to runtime.
