July 31, 2023 ・ Kubernetes
The Importance of Configuring Your Admission Controller Early in Kubernetes
In a Kubernetes (k8s) environment, the admission controller plays a crucial role in filtering input to the cluster. To ensure optimal performance and security, it is vital to configure your admission controller before you start using the cluster. Failing to do so can lead to problems that could have been prevented by the admission controller. In this essay, we will discuss the basics of an admission controller, its benefits, potential challenges, and the importance of early configuration.
Understanding Admission Controllers
An admission controller is essentially a set of callback hooks for the Kubernetes API, specifically targeting object creation or mutation. It allows you to intercept requests to the Kubernetes API server before the persistence of the object, giving you the opportunity to validate, modify, or even reject the request.
Kubernetes comes with a basic admission controller out of the box, which can enforce resource limits presence, among other things. However, there are some specific behaviors to be aware of. For instance, when a check fails, the kubectl apply command will return a 0 exit code, but the pods will not be created. This can be problematic if your CI/CD pipeline does not verify the deployment outcome.
You may use one of many open-sourced controllers from Github, e.g. https://github.com/douglasmakey/admissioncontroller, as a starting point to write your own controller.
Benefits of Admission Controllers
Saves manual review: By automating the validation and modification of objects, admission controllers can save time and effort that would otherwise be spent on manual review.
Fixes potential problems: Admission controllers can identify and prevent issues before they escalate, ensuring that your cluster remains secure and efficient.
Challenges with Admission Controllers
Configuration: To take full advantage of an admission controller, you need to configure it properly, which can be a complex task, especially for those new to Kubernetes.
Writing custom controllers: Creating a custom admission controller requires writing Go code to perform the validation. This task typically demands the skills of a middle-grade Go programmer, which might not be readily available in all organizations.
Documentation discrepancies: As of now, Kubernetes APIs are at version 1, but most documentation still refers to version 1beta. This discrepancy complicates the configuration process. While documentation updates are expected over time, finding accurate information can be challenging at the moment.
Configuring your admission controller early in the Kubernetes cluster setup process is essential to ensure optimal performance, security, and efficiency. While there are challenges associated with configuring and writing custom admission controllers, the benefits far outweigh the drawbacks. By investing time and resources in setting up your admission controller correctly from the start, you can save yourself from potential problems down the line and maintain a secure and efficient Kubernetes environment.