Admission controllers
Admission controllers intercept requests to the API Server after authentication and authorisation but before persistence to Configuration.
Execution
They're executed in two phases:
- Mutating.
- Validating.
Types
They may be either:
- MutatingAdmissionConfigurations, which may modify or reject the request;
- ValidatingAdmissionConfigurations, which may only reject the request; or
- both MutatingAdmissionConfigurations and ValidatingAdmissionConfigurations, meaning that they run twice.
Built-in
The list of built-in admission plugins can be found with kube-apiserver --help | grep enable-admission-plugins
.
The --enable-admission-plugins
API Server switch may be used to enable built-in admission control plugins, and --disable-admission-plugins
disabled the specified plugins even if they'd be enabled by default.
Dynamic
Dynamic admission controllers are implemented using HTTP webhooks. They receive Kubernetes AdmissionReviews
Children
Backlinks