Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

Kubernetes Admission Controllers: A Fast-Track Guide

The primary function of admission controllers is the enforcement of custom policies on incoming requests, ensuring that only valid and compliant API requests are executed.

10 minutes read

What are Kubernetes admission controllers?

A Kubernetes admission controller is code designed to intercept requests heading to the Kubernetes API server prior to the persistence stage but following the request's authentication and authorization.

The primary function of admission controllers is the enforcement of custom policies on incoming requests, ensuring that only valid and compliant API requests are executed—which is crucial for maintaining a cluster's integrity and security posture.

This blog post provides a comprehensive guide that covers the types of Kubernetes admission controllers along with their operation, significance, and integration into Kubernetes clusters. Stay tuned as we explore this critical component for managing access, strengthening security, and optimizing the performance of Kubernetes clusters.

How admission controllers work

The admission control process is critical to Kubernetes' resource management and security enforcement mechanisms. As a sophisticated filter that processes incoming requests to the Kubernetes API server, admissions controllers evaluate compliance with the cluster's policies and configurations.

The admission control process

When an incoming request reaches the Kubernetes API server, it undergoes several processing stages. First, the request is authenticated and authorized, ensuring the requester has the necessary permissions. Once cleared, the request enters the admission control phase, where it encounters one or more admission controllers. These controllers enforce specific policies and rules, ranging from validating resource configurations to implementing security measures.

Figure 1: Admission controller phases (Source: Kubernetes)

Admission controllers operate in two modes: validating and mutating. Validating admission controllers inspect the request object and verify its compliance with a cluster's policies, rejecting requests that fail to meet the criteria. On the other hand, mutating admission controllers can modify the request object—such as injecting sidecar containers or setting default values for unspecified fields—before it is validated and persisted in the cluster state. Additionally, some admission controllers are designed as all-in-one solutions, capable of both validating and mutating the request object.

Admission controller configurations

You can configure and use Kubernetes admission controllers in two main ways, each designed to address specific aspects of resource management, security, and administrative efficiency:

  • Built-in admission controllers: Kubernetes ships with a set of built-in admission controllers that can be turned on or off based on a cluster's requirements. These controllers cover various functionalities, from enforcing pod security policies to managing resource quotas and ensuring that all namespaced resources have the necessary labels.

  • Dynamic admission controllers: For scenarios where the built-in controllers are not sufficient, Kubernetes offers dynamic admission controllers, which are implemented through admission webhooks. These webhooks provide a mechanism for introducing custom logic into the admission control process, allowing cluster administrators to enforce custom policies tailored to their specific needs and security contexts.

Interaction with the Kubernetes API server

Seamless integration with the Kubernetes API server is at the heart of admission controllers’ effectiveness. As we’ve seen, through dynamic admission controllers paired with admission webhook mechanisms, administrators can extend the functionality of the admission control process beyond the built-in controllers.

The interaction between admission controllers and the Kubernetes API server is a testament to Kubernetes' extensible and modular design. This flexibility is crucial for adapting to the evolving security landscape and the diverse needs of different applications.

The importance of admission controllers

Admission controllers are not just a feature within Kubernetes; they are a cornerstone of cluster security and management. Because they play a crucial role in automating administrative tasks, enhancing security, and optimizing resource allocation, you can look to admission controllers for myriad benefits:

  • Enhanced Kubernetes security: Fortifying the security of Kubernetes clusters is one of the primary roles of admission controllers. They act as the first line of defense, scrutinizing incoming requests to ensure they comply with established security policies and standards. In other words, admission controllers facilitate a proactive approach to security that significantly reduces your attack surface and helps you maintain a strong security posture.

  • The prevention of unauthorized access and configurations: Admission controllers are instrumental in preventing unauthorized access and configurations that could potentially expose the cluster to security vulnerabilities. This level of control is essential for compliance with regulatory requirements and organizational security policies.

  • Streamlined cluster management: Beyond security, admission controllers contribute significantly to the streamlined management of Kubernetes clusters. They automate various administrative tasks, such as setting default resource requests and limits, applying labels and annotations, and enforcing naming conventions.

Webhooks in admission controllers

Above, we discussed how webhooks play a pivotal role in the Kubernetes admission control process, offering a dynamic and flexible mechanism for enforcing custom policies and extending the functionality of admission controllers. By integrating webhooks with admission controllers, Kubernetes clusters can achieve higher customization and security tailored to your organization's specific needs. Let’s take a closer look.

Understanding webhooks

A webhook is an HTTP-based callback function (a simple HTTP POST request triggered by a specific event). In the context of Kubernetes admission controllers, webhooks are used to communicate with external services that process admission requests. When a request is made to the Kubernetes API server, it can be forwarded to a webhook server, where custom logic is applied to the request. This allows for real-time decision-making based on the content of the request, enabling dynamic policy enforcement.

There are two types of admission webhooks: 

  • Mutating admission webhooks are called before the validating phase, allowing them to modify or add to the request object. This capability is crucial for scenarios where default settings need to be applied or when specific adjustments to the request are necessary for compliance or policy reasons. The changes made by mutating webhooks are then passed on to the validating webhooks for further inspection.

  • Validating admission webhooks take over the requests after mutating admission webhooks to make sure that the request complies with the cluster's rules and policies. These webhooks can reject requests that fail to meet the specified criteria, committing only compliant and authorized changes to a cluster's state.

Simply put, webhooks are an essential component of the Kubernetes admission control ecosystem, providing the means to implement dynamic, custom policies that enhance the security, compliance, and operational efficiency of Kubernetes clusters. 

Best practices for using admission controllers

To leverage the full potential of admission controllers, adopt these best practices:

1. Integrate with continuous integration/continuous deployment (CI/CD) pipelines

Integrating admission controllers into CI/CD pipelines ensures that only compliant and secure applications are deployed, reducing the risk of vulnerabilities. There are two primary ways to implement this integration effectively:

Automate policy checks

Incorporate admission controller checks into your CI/CD pipeline scripts. Use tools like kubeconform to validate Kubernetes YAML files against the cluster's admission controllers.

Enforce policies

Use a validating webhook to enforce custom policies during the CI/CD process. Ensure the webhook is configured to intercept relevant API requests and validate them against your policies.

The following Jenkins pipeline includes a deployment stage that first performs a dry run of the Kubernetes deployment to check against admission policies. If the dry run fails, the pipeline stops, preventing policy violations:

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                // Build steps here
            }
        }
        stage('Test') {
            steps {
                // Test steps here
            }
        }
        stage('Deploy') {
            steps {
                script {
                    def deployStatus = sh(script: "kubectl apply -f k8s-deployment.yaml --dry-run=server", returnStatus: true)
                    if (deployStatus != 0) {
                        error("Deployment failed due to admission policy violation.")
                    }
                    sh("kubectl apply -f k8s-deployment.yaml")
                }
            }
        }
    }
}

2. Ensure high availability and performance

The optimal performance and high availability of admission controllers prevent them from becoming bottlenecks or points of failure in your Kubernetes environment. Here’s how to make the most of your implementation:

Implement redundancy

Deploy multiple instances of your webhook servers behind a load balancer to ensure redundancy and high availability.

Monitor performance

Utilize monitoring tools like Prometheus and Grafana to track the performance of your admission controllers and webhook servers.

The following configuration sets up a mutating webhook that points to a service capable of load-balancing requests across multiple webhook server instances. This setup enhances high availability by ensuring that the load is balanced across multiple servers:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: example-mutating-webhook
webhooks:
  - name: example.webhook.com
    clientConfig:
      service:
        name: webhook-service
        namespace: webhook-namespace
        path: "/mutate"
      caBundle: <CA_BUNDLE>
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions: ["v1", "v1beta1"]

3. Regularly update and audit

Updating admission controllers and webhook servers protects you against known vulnerabilities and gives you access to the latest features. Here are the two critical steps to take:

Update regularly

Schedule regular updates for your admission controllers and webhook servers. Use Kubernetes rolling updates for minimal disruption.

Check audit logs

Review and audit your admission controller configurations and webhook policies regularly to make sure they align with current security standards and organizational policies.

The following CronJob is scheduled to run daily, analyzing Kubernetes audit logs to identify potential security issues or policy violations:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: audit-log-analysis
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: log-analyzer
            image: log-analyzer:latest
            env:
            - name: LOG_PATH
              value: "/var/log/kubernetes/audit.log"
            volumeMounts:
            - name: log-volume
              mountPath: "/var/log/kubernetes"
          restartPolicy: OnFailure
          volumes:
          - name: log-volume
            hostPath:
              path: "/var/log/kubernetes"

4. Use monitoring and logging

Effective monitoring and logging are essential for tracking the activity of admission controllers, identifying issues, and maintaining compliance.

Implement logging for admission stages

Be sure your webhook servers log all admission decisions, including the rationale for rejections. Use a centralized logging solution like the ELK Stack (Elasticsearch, Logstash, Kibana, and Beats) or Grafana Loki to aggregate and analyze logs. 

Set up monitoring and alerts

Use monitoring tools to create dashboards that track the performance and activity of your admission controllers and configure alerts for anomalies or operational issues.

The following Fluentd configuration snippet sets up log collection for a webhook server, forwarding the logs to an Elasticsearch cluster for centralized logging and analysis:

<source>
  @type tail
  path /var/log/webhook-server.log
  pos_file /var/log/webhook-server.log.pos
  tag webhook.logs
  <parse>
    @type json
  </parse>
</source>

<match webhook.logs>
  @type elasticsearch
  host elasticsearch.logging
  port 9200
  logstash_format true
  logstash_prefix webhook-logs
  flush_interval 10s
</match>

By following these best practices, you can leverage Kubernetes admission controllers effectively to enhance your clusters' security, compliance, and operational efficiency.

Shift left with Wiz guardrails

Wiz recently announced enhancements to the Kubernetes admission controller, introducing capabilities that significantly bolster Kubernetes security. These updates empower organizations to implement a shift-left strategy more effectively, ensuring security policies are enforced at the deployment stage. The new features include

  • Fine-grained Kubernetes admission control policies: Wiz allows for more targeted and precise control over Kubernetes admission policies. This means organizations can define specific security policies that block deployments that do not comply with their standards, such as preventing the use of highly privileged containers or restricting access to sensitive volumes.

  • A centralized view of Kubernetes admission review rates: With Wiz, teams gain insights into the admission review process, understanding which changes were attempted and why they failed. Our centralized dashboard helps identify compliance and security gaps in your deployments at a glance.

  • Enhanced event monitoring and custom policy creation: Wiz's admission controller now generates detailed event logs for every create, update, delete, and connect operation within a cluster. This feature enables the detection of abnormal behavior, such as attempts to delete critical resources, or just executing kubectl exec commands. Additionally, organizations can set up custom alerts based on the severity of these events, ensuring immediate response to critical issues.

The advancements in Wiz's admission controller capabilities mark a significant step forward in Kubernetes security, offering organizations the tools needed to enforce consistent security policies from development through to deployment. By integrating these controls into the CI/CD pipeline, developers and security teams can work together more effectively, reducing the risk of security breaches and compliance violations.

Interested in leveraging our new capabilities to enhance your Kubernetes security posture? Schedule a demo with Wiz today!

Empower your developers, from code to production

Learn why the fastest growing companies trust Wiz to secure Kubernetes from build-time to runtime.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.