| Separate validation from RESTStorage | https://github.com/GoogleCloudPlatform/kubernetes/issues/2977 |
## Background
## Background
...
@@ -12,24 +13,16 @@ High level goals:
...
@@ -12,24 +13,16 @@ High level goals:
* Enable an easy-to-use mechanism to provide admission control to cluster
* Enable an easy-to-use mechanism to provide admission control to cluster
* Enable a provider to support multiple admission control strategies or author their own
* Enable a provider to support multiple admission control strategies or author their own
* Ensure any rejected request can propagate errors back to the caller with why the request failed
* Ensure any rejected request can propagate errors back to the caller with why the request failed
* Enable usage of cluster resources to satisfy admission control criteria
* Enable admission controller criteria to change without requiring restart of kube-apiserver
Policy is focused on answering if a user is authorized to perform an action.
Authorization via policy is focused on answering if a user is authorized to perform an action.
Admission Control is focused on if the system will accept an authorized action.
Admission Control is focused on if the system will accept an authorized action.
The Kubernetes cluster may choose to dismiss an authorized action based on any number of admission control strategies they choose to author and deploy:
Kubernetes may choose to dismiss an authorized action based on any number of admission control strategies.
1. Quota enforcement of allocated desired usage
This proposal documents the basic design, and describes how any number of admission control plug-ins could be injected.
2. Pod black-lister to restrict running specific images on the cluster
3. Privileged container checker
4. Host port reservation
5. Volume validation - e.g. may or may not use hostDir, etc.
6. Min/max constraint checker for pod requested resources
7. ...
This proposal therefore attempts to enumerate the basic design, and describe how any number of admission controllers could be injected.
Implementation of specific admission control strategies are handled in separate documents.
## kube-apiserver
## kube-apiserver
...
@@ -37,109 +30,51 @@ The kube-apiserver takes the following OPTIONAL arguments to enable admission co
...
@@ -37,109 +30,51 @@ The kube-apiserver takes the following OPTIONAL arguments to enable admission co
| Option | Behavior |
| Option | Behavior |
| ------ | -------- |
| ------ | -------- |
| admission_controllers | List of addresses (ip:port, dns name) to invoke for admission control |
| admission_control | Comma-delimited, ordered list of admission control choices to invoke prior to modifying or deleting an object. |
| admission_controller_service | Service label selector to resolve for admission control (namespace/labelKey/labelValue) |
| admission_control_config_file | File with admission control configuration parameters to boot-strap plug-in. |
If the list of addresses to invoke for admission control are provided as a label selector, the kube-apiserver will update the list
An **AdmissionControl** plug-in is an implementation of the following interface:
of admission control services at a regular interval.
```
Upon an incoming request, the kube-apiserver performs the following basic flow:
package admission
1. Authorize the request, if authorized, continue
// Attributes is an interface used by a plug-in to make an admission decision on a individual request.
2. Invoke the Admission Control REST API for each defined address, if all return true, continue
type Attributes interface {
3. RESTStorage processes request
GetClient() client.Interface
4. Data is persisted in store
GetNamespace() string
GetKind() string
If there is no configured admission control address, then by default, all requests are admitted.
GetOperation() string
GetObject() runtime.Object
Admission control is enforced on POST/PUT operations, but is ignored on GET/DELETE operations.
}
## Admission Control REST API
// Interface is an abstract, pluggable interface for Admission Control decisions.
type Interface interface {
An admission controller satisfies a stable REST API invoked by the kube-apiserver to satisfy requests.
// Admit makes an admission decision based on the request attributes
// An error is returned if it denies the request.
| Action | HTTP Verb | Path | Description |
Admit(a Attributes) (err error)
| ---- | ---- | ---- | ---- |
}
| CREATE | POST | /admissionController | Send a request for admission to evaluate for admittance or denial |
```
The message body to the admissionController includes the following:
A **plug-in** must be compiled with the binary, and is registered as an available option by providing a name, and implementation