Kubernetes指南
Linux性能优化实战eBPF 核心技术与实战SDN指南个人博客
EN
EN
  • Overview
  • Introduction
    • Kubernetes Introduction
    • Kubernetes Concepts
    • Kubernetes 101
    • Kubernetes 201
    • Kubernetes Cluster
  • Concepts
    • Concepts
    • Architecture
    • Design Principles
    • Components
      • etcd
      • kube-apiserver
      • kube-scheduler
      • kube-controller-manager
      • kubelet
      • kube-proxy
      • kube-dns
      • Federation
      • kubeadm
      • hyperkube
      • kubectl
    • Objects
      • Autoscaling
      • ConfigMap
      • CronJob
      • CustomResourceDefinition
      • DaemonSet
      • Deployment
      • Ingress
      • Job
      • LocalVolume
      • Namespace
      • NetworkPolicy
      • Node
      • PersistentVolume
      • Pod
      • PodPreset
      • ReplicaSet
      • Resource Quota
      • Secret
      • SecurityContext
      • Service
      • ServiceAccount
      • StatefulSet
      • Volume
  • Setup
    • Setup Guidance
    • kubectl Install
    • Single Machine
    • Feature Gates
    • Best Practice
    • Version Support
    • Setup Cluster
      • kubeadm
      • kops
      • Kubespray
      • Azure
      • Windows
      • LinuxKit
      • kubeasz
    • Setup Addons
      • Addon-manager
      • DNS
      • Dashboard
      • Monitoring
      • Logging
      • Metrics
      • GPU
      • Cluster Autoscaler
      • ip-masq-agent
  • Extension
    • API Extension
      • Aggregation
      • CustomResourceDefinition
    • Access Control
      • Authentication
      • RBAC Authz
      • Admission
    • Scheduler Extension
    • Network Plugin
      • CNI
      • Flannel
      • Calico
      • Weave
      • Cilium
      • OVN
      • Contiv
      • SR-IOV
      • Romana
      • OpenContrail
      • Kuryr
    • Container Runtime
      • CRI-tools
      • Frakti
    • Storage Driver
      • CSI
      • FlexVolume
      • glusterfs
    • Network Policy
    • Ingress Controller
      • Ingress + Letsencrypt
      • minikube Ingress
      • Traefik Ingress
      • Keepalived-VIP
    • Cloud Provider
    • Device Plugin
  • Cloud Native Apps
    • Apps Management
      • Patterns
      • Rolling Update
      • Helm
      • Operator
      • Service Mesh
      • Linkerd
      • Linkerd2
    • Istio
      • Deploy
      • Traffic Management
      • Security
      • Policy
      • Metrics
      • Troubleshooting
      • Community
    • Devops
      • Draft
      • Jenkins X
      • Spinnaker
      • Kompose
      • Skaffold
      • Argo
      • Flux GitOps
  • Practices
    • Overview
    • Resource Management
    • Cluster HA
    • Workload HA
    • Debugging
    • Portmap
    • Portforward
    • User Management
    • GPU
    • HugePage
    • Security
    • Audit
    • Backup
    • Cert Rotation
    • Large Cluster
    • Big Data
      • Spark
      • Tensorflow
    • Serverless
  • Troubleshooting
    • Overview
    • Cluster Troubleshooting
    • Pod Troubleshooting
    • Network Troubleshooting
    • PV Troubleshooting
      • AzureDisk
      • AzureFile
    • Windows Troubleshooting
    • Cloud Platform Troubleshooting
      • Azure
    • Troubleshooting Tools
  • Community
    • Development Guide
    • Unit Test and Integration Test
    • Community Contribution
  • Appendix
    • Ecosystem
    • Learning Resources
    • Domestic Mirrors
    • How to Contribute
    • Reference Documents
由 GitBook 提供支持
在本页
  • Initializers
  • GenericAdmissionWebhook
  • PodNodeSelector
  • Recommended Configurations
  • Further Reading
  1. Extension
  2. Access Control

Admission

上一页RBAC Authz下一页Scheduler Extension

最后更新于1年前

Admission Control (AC) is a crucial step in the fulfilment of requests in computing systems. Essentially, upon authorization, AC further verifies the request or adds default parameters. While numerous facets like authorization and authentication focus solely on the request's user and operation, AC on the other hand, also addresses the content of the request. Notably, AC is only viable for creating, updating, deleting or connecting (like proxying) operations, and is effectively redundant when dealing with read operations.

Admission Control allows for the simultaneous opening of multiple plugins. In succession, these plugins are called, and only requests vetted and passed by all plugins are allowed to proceed into the system.

Kubernetes, the popular open-source platform, currently offers several types of Admission Control plugins:

  • AlwaysAdmit: All requests are accepted.

  • AlwaysPullImages: It always pulls the latest image, proving invaluable in multi-tenant scenarios.

  • DenyEscalatingExec: Prohibits exec and attach operations of privileged containers.

  • ImagePolicyWebhook: Utilizes a webhook to decide image policies, requires simultaneous configuration of --admission-control-config-file. For configuration file format, refer .

  • ServiceAccount: Automates the creation of default ServiceAccounts, guaranteeing the referenced ServiceAccount by the Pod is existent.

  • And so on, catering to a wide array of specific needs and use-cases.

Kubernetes v1.7 and later versions also support Initializers and GenericAdmissionWebhook, which considerably facilitate the extension of Admission Control.

Initializers

Initializers are pivotal in applying strategies or configuring default options to resources. They comprise both Initializer Controllers responsible for executing user-submitted tasks and user-defined Initializer tasks. Post completion, the task is removed from the metadata.initializers list.

Initializers can harness initializerconfigurations for the customized activation of resource Initializer functions. Furthermore, Initializers may also be used in various other scenarios like adding a sidecar container or storage volume automatically to a Pod, or improving performance by employing the GenericAdmissionWebhook, among others.

GenericAdmissionWebhook

The GenericAdmissionWebhook is an Admission Control mechanism which utilizes a webhook. While it doesn't alter request objects, it can validate user requests.

PodNodeSelector

The PodNodeSelector restricts the nodes where Pods within a Namespace can run. Although it is functionally opposite to Taint.

Recommended Configurations

For Kubernetes >= 1.9.0, we recommend configuring the following plugins:

--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota

For Kubernetes >= 1.6.0, we recommend turning on the following plugins in kube-apiserver:

--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds

For Kubernetes >= 1.4.0, we recommend configuring the following plugins:

--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota

Further Reading

In summary, Admission Control underscores the importance of meticulous managing and monitoring of system requests, employing numerous plugins to ensure security and efficacy for a robust computing environment.

here
Using Admission Controllers
How Kubernetes Initializers work