In some environments, it may be a requirement to implement an admission controller (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) for an additional layer of security for requests coming to the API-server. To do this, we will need to:
- Add an additional argument to our API-server YAML
- Create a file with our admission configuration
- Add this file to our nodes
- Mount it into our API-server pod
To do this, you can follow the steps below. Please note that the location of the file is arbitrary; if you wish to place it in a different directory, then you will also have to change this in your API-server manifest:
1. Create YAML for your new cluster using: dkp create cluster <provider>
-c test-cluster --dry-run -o yaml > cluster.yaml
2. Within the file we just created, an object, KubeadmControlPlane, will allow for additional API-server arguments. Here we must add the location we are going to mount our config file along with the admission plugins we want to enable:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: test-cluster-control-plane
namespace: default
spec:
kubeadmConfigSpec:
clusterConfiguration:
apiServer:
extraArgs:
...
admission-control-config-file: /etc/kubernetes/admission-controller.yaml
enable-admission-plugins: "ValidatingAdmissionWebhook,NodeRestriction"
3. Within the same KubeadmControlPlane object, there is an entry '.spec.kubeadmConfigSpec.files' where we can manually drop in a file to the host, the below is a sample admission configuration being added to the host:
files:
- path: /etc/kubernetes/admission-controller.yaml
content: |
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "privileged"
enforce-version: "v1.23"
audit: "privileged"
audit-version: "v1.23"
warn: "privileged"
warn-version: "v1.23"
exemptions:
usernames:
....
namespaces:
....
4. Lastly, mount the directory the newly created admission-controller.yaml file is in for our API-server to consume:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
name: test-cluster-control-plane
namespace: default
spec:
kubeadmConfigSpec:
clusterConfiguration:
apiServer:
extraArgs:
...
extraVolumes:
- hostPath: /etc/kubernetes
mountPath: /etc/kubernetes
...
After following these steps, your configuration should be set; from here, you just need to apply the YAML to your bootstrap cluster. Once your cluster has been spun up and created, you can validate your configuration by checking the API-servers arguments. You should see the ones we added for the admission controller, along with the other default flags.