Admission controllers serve as gatekeepers to Kubernetes (K8s) environments, enhancing security by scanning requests sent to the API server. By enforcing critical compliance and shielding against potential threats, these controllers act as guardians for your Kubernetes cluster — a necessity as new threats to containerized applications evolve.
In this article, we’ll take a deep dive into the world of Kubernetes admission controllers by discussing their importance, internal mechanisms, image scanning capabilities, and significance in the security posture of Kubernetes clusters.
What is a Kubernetes admission controller?
Kubernetes admission controllers monitor and regulate requests aimed at the Kubernetes API server. As shown below, after authentication and authorization have been completed — but before an object is stored persistently — these plugins act as intermediaries and intercept requests:
Figure 1: Admission controllers (Source: Kubernetes Blog)
Admission controllers can either admit, reject, or modify requests based on certain predefined conditions or policies. There are two main types of admission controllers:
- Validating admission controllers: Responsible for validating the objects in requests, these admission controllers examine each request and verify whether it complies with the specific requirements and rules defined in the controller.
- Mutating admission controllers: Capable of modifying objects in a request and changing their configurations before storing them, mutating admission controllers enable automatic management and allow you to inject system parameters according to predefined rules and policies.
Key capabilities of admission controllers
Admission controllers are integral to the Kubernetes architecture, operating quietly in the background and protecting systems by enforcing your organization’s rules and policies. When managing large-scale Kubernetes environments, ensuring security and enforcing compliance can become complex. Luckily, K8s admission controllers can help in the following ways:
1. Enhancing security in Kubernetes clusters
Controllers can enforce policies that limit the operations performed in a cluster, thereby reducing potential attack vectors. For instance, they can prevent users from running privileged containers or using host networking and file systems, which are common vectors for attacks.
2. Enforcing compliance
Admission controllers are an essential means of enforcing organization-wide policies: They can enforce naming conventions, resource limits, and network policies. They can also prevent the deployment of pods that do not conform to these rules, ensuring consistency and adherence to best practices.
3. Ensuring resource management and allocation optimization
Resource management is a crucial part of managing a Kubernetes cluster. Admission controllers can enforce quotas and limits on CPU, memory, and storage, avoiding a scenario where individual containers utilize more cluster resources than they are allotted. This helps maintain the stability and reliability of the system and fosters efficient resource utilization, which also leads to cost optimization.
4. Preventing potential Kubernetes container escape exploits
A container escape exploit is a significant security concern in Kubernetes clusters that occurs when an attacker breaks out of a container and gains unauthorized access to the host system. Admission controllers can help prevent these exploits by enforcing strict security contexts and limiting container privileges.
Learn More
Learn best practices to keep your Kubernetes environment safe from adversaries. Kubernetes Security Best Practices
The mechanics of admission controllers
Understanding the inner workings of admission controllers is crucial to leveraging their full potential. Let’s break down the ways admission controllers interact with other Kubernetes components:
Requests and responses
Admission controllers review incoming requests to the API server, inspecting the object that the request is attempting to store in the system. Depending on whether the controller is a validating or mutating controller, it will either validate the request against a set of rules (validating) or modify the object in the request (mutating). The controller then admits or denies the request, returning a response to the user. If the request is denied, the user receives a message explaining why the request was rejected.
Chain of multiple admission controllers
Admission controllers form a chain and are called in order. The order is critical here, especially when mutating and validating controllers are configured in the same cluster. In general, mutating controllers are called before validating ones. This way, a request can be modified to meet the criteria before validation. In the event that a controller in this sequence denies the request, the full operation is halted, and an error is sent to the user. This mechanism ensures that all the defined rules are checked before a request is accepted.
Built-in admission controllers
Kubernetes comes with several built-in admission controllers. For instance, the NamespaceLifecycle controller rejects all requests sent to objects within a namespace that are undergoing termination. As its name suggests, the ResourceQuota controller enforces quotas that limit resource use on a per-namespace basis, and the PodSecurityPolicy controller applies security restrictions based on the requested security context. For a more thorough understanding of built-in admission controllers, explore what is already provided out of the box and how these controllers automate Kubernetes operations.
Image scanning with admission controllers
Container images are the building blocks of any containerized application, but these images can contain vulnerabilities in the application code or in their underlying system libraries. If they are left unaddressed, these vulnerabilities could be exploited, leading to unauthorized access, data leaks, or even system takeover. That’s why scanning container images for known vulnerabilities is not just a best practice — it’s a necessity.
Image scanning tools like Clair, Anchore, and the CrowdStrike Falcon® platform can integrate with Kubernetes admission controllers to enforce image scanning policies. These tools can scan container images against vulnerability databases to identify known vulnerabilities. An admission controller can be configured to integrate with these tools and prevent the deployment of images that either have vulnerabilities or haven’t been scanned.
In other words, the admission controller rejects the deployment request if the image is unsafe and prevents the vulnerable container from running in a cluster. This provides an automated and enforced way of ensuring that all container images deployed in the cluster are secure and compliant with security policies.
Developing custom admission controllers
Though Kubernetes comes equipped with various built-in admission controllers, there might be scenarios where you must enforce rules unique to your organization, such as specific naming conventions, resource usage policies, or pod security policies. In these cases, Kubernetes allows you to build your own controller and dynamically integrate it into running clusters.
Best practices for creating an admission controller
Creating an admission controller involves writing a webhook server that responds to API server requests. Webhook servers respond specifically to admission requests coming from the Kubernetes API server. The webhook server may be tasked with validation, mutation, or both. When writing the admission controller, follow these best practices:
1. Define clear rules
Ensure that the rules enforced by the controller are clear, well documented, and shared with all the team members who interact with your Kubernetes cluster.
2. Handle errors gracefully
Your admission controller should handle errors gracefully and not block the operations of the Kubernetes API server. In addition, it should return meaningful error messages. This helps users understand why their request was denied.
3. Secure your webhook
Webhooks receive sensitive information from the API server, so they should be secured with TLS. With a secure webhook, the API server must verify the webhook’s certificate before sending any request.
4. Design for performance
Webhook calls add latency to API server requests. Design your admission controller for high performance by minimizing the time your webhook takes to handle a request.
5. Test extensively
Test the admission controller with various kinds of requests to ensure it behaves as expected. The testing process should also include checking for compatibility with the Kubernetes versions you’re using.
Monitoring and logging for admission controllers
Kubernetes monitoring and logging provide essential visibility, helping to shed light on the decisions made by your admission controllers, identify any issues, improve a cluster’s security posture, and ensure that policies are being correctly and consistently applied.
Though Kubernetes provides built-in logging of admission controller decisions through its API server, these logs can be lengthy and difficult to parse. Fortunately, log management tools can make sense of these logs by collecting, filtering, and analyzing them. For instance, tools like Fluentd or Logstash can collect logs from Kubernetes clusters and forward them to a centralized log management solution, such as Elasticsearch or a cloud-based log management service. Then Kibana — or a similar tool — can analyze and visualize the log data.
In your logs, look for AdmissionReview objects containing information about admission controller decisions. Keep an eye on the API server’s response times to understand their performance impact. It’s also a good idea to look for patterns of request rejections, which might indicate a misconfigured admission controller or a misunderstanding of the rules among your users. Watch out for sudden changes in the volume or nature of requests — these might suggest a security incident.
Learn More
Explore the complete Kubernetes Logging Guide series:
- Part 1: The Basics
- Part 2: Advanced Concepts
- Part 3: Centralizing Kubernetes Logs
- Part 4: Centralized Logging in a Kubernetes Cluster
Getting the most out of K8s admission controllers
The power of admission controllers lies not only in the security and compliance they provide out of the box but in their potential for customization and extension. We encourage every Kubernetes cluster owner to delve deeper into this topic and consider how to better leverage admission controllers in their own environments.
The CrowdStrike Kubernetes admission controller provides predefined policies and eases container management, eliminating the need for users to write raw rego rules and preventing misconfigured containers from being deployed.
Protect the container life cycle and manage Kubernetes security with CrowdStrike
CrowdStrike Falcon® Cloud Security for Containers reduces the complexities of Kubernetes security with a single easy-to-use interface and delivers the only Kubernetes admission controller able to identify and eliminate vulnerable containers and prevent them from re-deploying.
Improve your security posture and the resilience of your Kubernetes clusters with CrowdStrike Falcon® Cloud Security. A robust security platform, the CrowdStrike Falcon platform offers vulnerability and threat detection, incident response, identity protection, observability, and cloud security. Use it in conjunction with admission controllers to help secure your Kubernetes environments.
