github.com/enmand/kubernetes@v1.2.0-alpha.0/docs/admin/admission-controllers.md (about) 1 <!-- BEGIN MUNGE: UNVERSIONED_WARNING --> 2 3 <!-- BEGIN STRIP_FOR_RELEASE --> 4 5 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 6 width="25" height="25"> 7 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 8 width="25" height="25"> 9 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 10 width="25" height="25"> 11 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 12 width="25" height="25"> 13 <img src="http://kubernetes.io/img/warning.png" alt="WARNING" 14 width="25" height="25"> 15 16 <h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2> 17 18 If you are using a released version of Kubernetes, you should 19 refer to the docs that go with that version. 20 21 <strong> 22 The latest 1.0.x release of this document can be found 23 [here](http://releases.k8s.io/release-1.0/docs/admin/admission-controllers.md). 24 25 Documentation for other releases can be found at 26 [releases.k8s.io](http://releases.k8s.io). 27 </strong> 28 -- 29 30 <!-- END STRIP_FOR_RELEASE --> 31 32 <!-- END MUNGE: UNVERSIONED_WARNING --> 33 34 # Admission Controllers 35 36 **Table of Contents** 37 <!-- BEGIN MUNGE: GENERATED_TOC --> 38 39 - [Admission Controllers](#admission-controllers) 40 - [What are they?](#what-are-they) 41 - [Why do I need them?](#why-do-i-need-them) 42 - [How do I turn on an admission control plug-in?](#how-do-i-turn-on-an-admission-control-plug-in) 43 - [What does each plug-in do?](#what-does-each-plug-in-do) 44 - [AlwaysAdmit](#alwaysadmit) 45 - [AlwaysDeny](#alwaysdeny) 46 - [DenyExecOnPrivileged (deprecated)](#denyexeconprivileged-deprecated) 47 - [DenyEscalatingExec](#denyescalatingexec) 48 - [ServiceAccount](#serviceaccount) 49 - [SecurityContextDeny](#securitycontextdeny) 50 - [ResourceQuota](#resourcequota) 51 - [LimitRanger](#limitranger) 52 - [NamespaceExists (deprecated)](#namespaceexists-deprecated) 53 - [NamespaceAutoProvision (deprecated)](#namespaceautoprovision-deprecated) 54 - [NamespaceLifecycle](#namespacelifecycle) 55 - [Is there a recommended set of plug-ins to use?](#is-there-a-recommended-set-of-plug-ins-to-use) 56 57 <!-- END MUNGE: GENERATED_TOC --> 58 59 ## What are they? 60 61 An admission control plug-in is a piece of code that intercepts requests to the Kubernetes 62 API server prior to persistence of the object, but after the request is authenticated 63 and authorized. The plug-in code is in the API server process 64 and must be compiled into the binary in order to be used at this time. 65 66 Each admission control plug-in is run in sequence before a request is accepted into the cluster. If 67 any of the plug-ins in the sequence reject the request, the entire request is rejected immediately 68 and an error is returned to the end-user. 69 70 Admission control plug-ins may mutate the incoming object in some cases to apply system configured 71 defaults. In addition, admission control plug-ins may mutate related resources as part of request 72 processing to do things like increment quota usage. 73 74 ## Why do I need them? 75 76 Many advanced features in Kubernetes require an admission control plug-in to be enabled in order 77 to properly support the feature. As a result, a Kubernetes API server that is not properly 78 configured with the right set of admission control plug-ins is an incomplete server and will not 79 support all the features you expect. 80 81 ## How do I turn on an admission control plug-in? 82 83 The Kubernetes API server supports a flag, `admission-control` that takes a comma-delimited, 84 ordered list of admission control choices to invoke prior to modifying objects in the cluster. 85 86 ## What does each plug-in do? 87 88 ### AlwaysAdmit 89 90 Use this plugin by itself to pass-through all requests. 91 92 ### AlwaysDeny 93 94 Rejects all requests. Used for testing. 95 96 ### DenyExecOnPrivileged (deprecated) 97 98 This plug-in will intercept all requests to exec a command in a pod if that pod has a privileged container. 99 100 If your cluster supports privileged containers, and you want to restrict the ability of end-users to exec 101 commands in those containers, we strongly encourage enabling this plug-in. 102 103 This functionality has been merged into [DenyEscalatingExec](#denyescalatingexec). 104 105 ### DenyEscalatingExec 106 107 This plug-in will deny exec and attach commands to pods that run with escalated privileges that 108 allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and 109 have access to the host PID namespace. 110 111 If your cluster supports containers that run with escalated privileges, and you want to 112 restrict the ability of end-users to exec commands in those containers, we strongly encourage 113 enabling this plug-in. 114 115 ### ServiceAccount 116 117 This plug-in implements automation for [serviceAccounts](../user-guide/service-accounts.md). 118 We strongly recommend using this plug-in if you intend to make use of Kubernetes `ServiceAccount` objects. 119 120 ### SecurityContextDeny 121 122 This plug-in will deny any pod with a [SecurityContext](../user-guide/security-context.md) that defines options that were not available on the `Container`. 123 124 ### ResourceQuota 125 126 This plug-in will observe the incoming request and ensure that it does not violate any of the constraints 127 enumerated in the `ResourceQuota` object in a `Namespace`. If you are using `ResourceQuota` 128 objects in your Kubernetes deployment, you MUST use this plug-in to enforce quota constraints. 129 130 See the [resourceQuota design doc](../design/admission_control_resource_quota.md) and the [example of Resource Quota](resourcequota/) for more details. 131 132 It is strongly encouraged that this plug-in is configured last in the sequence of admission control plug-ins. This is 133 so that quota is not prematurely incremented only for the request to be rejected later in admission control. 134 135 ### LimitRanger 136 137 This plug-in will observe the incoming request and ensure that it does not violate any of the constraints 138 enumerated in the `LimitRange` object in a `Namespace`. If you are using `LimitRange` objects in 139 your Kubernetes deployment, you MUST use this plug-in to enforce those constraints. LimitRanger can also 140 be used to apply default resource requests to Pods that don't specify any; currently, the default LimitRanger 141 applies a 0.1 CPU requirement to all Pods in the `default` namespace. 142 143 See the [limitRange design doc](../design/admission_control_limit_range.md) and the [example of Limit Range](limitrange/) for more details. 144 145 ### NamespaceExists (deprecated) 146 147 This plug-in will observe all incoming requests that attempt to create a resource in a Kubernetes `Namespace` 148 and reject the request if the `Namespace` was not previously created. We strongly recommend running 149 this plug-in to ensure integrity of your data. 150 151 The functionality of this admission controller has been merged into `NamespaceLifecycle` 152 153 ### NamespaceAutoProvision (deprecated) 154 155 This plug-in will observe all incoming requests that attempt to create a resource in a Kubernetes `Namespace` 156 and create a new `Namespace` if one did not already exist previously. 157 158 We strongly recommend `NamespaceLifecycle` over `NamespaceAutoProvision`. 159 160 ### NamespaceLifecycle 161 162 This plug-in enforces that a `Namespace` that is undergoing termination cannot have new objects created in it, 163 and ensures that requests in a non-existant `Namespace` are rejected. 164 165 A `Namespace` deletion kicks off a sequence of operations that remove all objects (pods, services, etc.) in that 166 namespace. In order to enforce integrity of that process, we strongly recommend running this plug-in. 167 168 ## Is there a recommended set of plug-ins to use? 169 170 Yes. 171 172 For Kubernetes 1.0, we strongly recommend running the following set of admission control plug-ins (order matters): 173 174 ``` 175 --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DenyEscalatingExec,ResourceQuota 176 ``` 177 178 179 <!-- BEGIN MUNGE: GENERATED_ANALYTICS --> 180 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/admission-controllers.md?pixel)]() 181 <!-- END MUNGE: GENERATED_ANALYTICS -->