Admission Controllers K8s docs
Create directory for storing the configs:
mkdir /etc/kubernetes/confighook
vi config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
configuration:
imagePolicy:
kubeConfigFile: /etc/kubernetes/confighook/webhook.kubeconfig
allowTTL: 50
denyTTL: 50
retryBackoff: 500
defaultAllow: true
vi webhook.kubeconfig
apiVersion: v1
kind: Config
# clusters refers to the remote service.
clusters:
- name: imagepolicy-webhook
cluster:
certificate-authority: /etc/kubernetes/pki/ca.crt # CA for verifying the remote service.
server: https://images.demo.com/policy # URL of remote service to query. Must use 'https'.
contexts:
- context:
cluster: imagepolicy-webhook
user: api-server
name: demo-context
current-context: demo-context
# users refers to the API server's webhook configuration.
users:
- name: api-server
user:
client-certificate: /etc/kubernetes/pki/apiserver.crt # cert for the webhook admission controller to use
client-key: /etc/kubernetes/pki/apiserver.key # key matching the cert
- mountPath: /etc/kubernetes/confighook
name: admission-controller
readOnly: true
- hostPath:
path: /etc/kubernetes/confighook
type: DirectoryOrCreate
name: admission-controllerNote: always ensure you make a backup copy of your kube-apiserver befor making any changes. Anything can go wrong and your api-server may be down if an incorrect config is changed.
vi /etc/kubernetes/manifests/kube-apiserver.yaml
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
- --admission-control-config-file=/etc/kubernetes/confighook/config.yaml