Day 51 - Kubernetes Admission Controller Explained With Demo

About this video

### Summary of the Text: 1. **Introduction and Context**: - The video is part of the "CK 2025 series" and focuses on **admission control in Kubernetes**. - The presenter, Push, explains the concept, its functioning, and demonstrates default admission controllers. 2. **What is Admission Control?**: - Admission control is a piece of code in Kubernetes that intercepts API requests **after authentication and authorization**. - It ensures that requests are valid and meet cluster policies before making changes to the object state in the **etcd** datastore. 3. **Types of Admission Controllers**: - **Mutating Admission Webhook**: Modifies or mutates objects (e.g., changing configurations). - **Validating Admission Webhook**: Validates requests to ensure they meet defined policies (e.g., rejecting invalid namespaces). - **Validating Admission Policies**: Special policies that validate requests based on predefined rules. 4. **How Admission Control Works**: - A user makes an API call (e.g., creating a pod). - The API server performs **authentication** and **authorization**. - If successful, **admission controllers** are invoked: - First, **mutating webhooks** modify the object if needed. - Then, **validating webhooks** check if the request is valid. - If the request passes both phases, the object's state is updated in **etcd**; otherwise, an error is returned. 5. **Why Use Admission Controllers?**: - To enforce strict policies on what actions are allowed or denied in the cluster. - Example: Limiting resource creation based on user permissions. 6. **Webhook Configuration**: - Webhooks can be configured using: - **URL**: Endpoint of the webhook. - **Service Reference**: Exposing the webhook via a Kubernetes service. - If the webhook service is unavailable, the request will fail with errors like "connection refused." 7. **Flow of Admission Webhooks**: - **Phase 1 (Mutating Admission)**: - Mutating webhooks review and modify the request. - **Phase 2 (Validating Admission)**: - Validating admission policies and webhooks validate the request. - If any phase fails, the entire request is rejected. 8. **Default Admission Plugins**: - Some plugins, like **NodeRestriction**, are enabled by default. - These can be viewed in the **kube-apiserver** manifest file under `/etc/kubernetes/manifests`. 9. **Demo Overview**: - Demonstrates enabling a custom admission controller: - **NamespaceLifecycle**: Automatically creates a namespace if it doesn’t exist when creating a pod. - Steps: - Modify the `kube-apiserver` manifest to include the new plugin. - Restart the API server to apply changes. - Test by attempting to create a pod in a non-existent namespace. 10. **Practical Example**: - Attempting to create a pod in a non-existent namespace results in an error (`namespace not found`). - Enabling **NamespaceLifecycle** ensures the namespace is created automatically if missing. 11. **Conclusion**: - Admission controllers are essential for enforcing policies and ensuring the integrity of Kubernetes clusters. - The demo highlights how to enable and test custom admission controllers to automate tasks like namespace provisioning.

Course: Certified Kubernetes Administrator Full Course For beginners | CKA 2025

This playlist contains the complete CKA series for beginners, based on the latest 2025 curriculum. It includes 40+ videos with hands-on demos, assignments, and exam-based scenarios. We will cover everything from the basics to the Advanced, including fundamental concepts such as Docker, containers, Docker storage and networking, DNS, etc.