k8s Admission Controller

Admission Controller는 변조(Mutate)와 검증(Validation) 작업을 사용하여 허가 기능을 수행함. 변조는 쿠버네티스 요청을 변조하고, 검증은 요청이 기준에 맞는지 확인하여 해당 작업이 실패하면 요청은 거절됨.

• Admission controller은 webhook으로 중간에 요청을 가로챈 것이기 때문에, 리턴 값도 기존 구조인 AdmissionReview구조로 리턴해야 합니다. 그리고 AdmissionReview안에는 변조와 검증의 성공/실패 결과가 있어야 합니다

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: webhook-mutation
webhooks:
- name: pod-mutation.default.com
  sideEffects: None
  failurePolicy: Fail
  admissionReviewVersions:
  - v1
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
  clientConfig:
    service:
      name: admission-server
      namespace: default
      path: /mutate/
    caBundle: "${CA_BUNDLE}"
---
# 웹서버 pod의 service
apiVersion: v1
kind: Service
metadata:
  name: admission-server
  labels:
    app: admission-controller-debug-deployment
spec:
  selector:
    app: admission-controller-debug-deployment
  ports:
  - port: 443
    targetPort: 443

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: webhook-validation
webhooks:
- name: pod-validation.default.com
  sideEffects: None
  admissionReviewVersions:
  - v1
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
  clientConfig:
    service:
      name: admission-server
      namespace: default
      path: /validate/
    caBundle: "${CA_BUNDLE}"
---
# 웹서버 pod의 service
apiVersion: v1
kind: Service
metadata:
  name: admission-server
  labels:
    app: admission-controller-debug-deployment
spec:
  selector:
    app: admission-controller-debug-deployment
  ports:
  - port: 443
    targetPort: 443

• 참고: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/