Admission Controllers , Dynamic Webhooks and OPA Gatekeeper



This is a piece of software which intercepts all requests going to the kube-apiserver
after the request has been authorized and authenticated, but before the requested objects have persisted in the cluster.

To enable admission Controllers, we use the option --enable-admission-plugins and specify the plugins in there.

There are many admission controllers which are enabled by default and some can be enabled by adding them to to the enable-admission-plugins list.

PSP, SA, NamespaceLifeCycle, AlwaysPullImages are some of the many default Admission Controllers.

By default, there are multiple admission contorllers enabled by default post 1.10.

In that list, there are two special controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook.

WebHooks are custom programs which are used/called to modify a possible Webpage using CallBack programs(code which can be run synchronously).

Admission webhooks are HTTP callbacks that receive admission requests and do something with them. You can define two types of admission webhooks,
validating admission webhook and mutating admission webhook.
Mutating admission webhooks are invoked first, and can modify objects sent to the API server to enforce custom defaults.
After all object modifications are complete, and after the incoming object is validated by the API server, validating admission webhooks are invoked
and can reject requests to enforce custom policies.

Once the api-server recieves a request that matches to one or more rules defined in the WebhookConfiguration,
The api-server sends an AdmissionReview request to the Webhook as specified in the Webhook WebhookConfiguration.

Idempotence should be an important criteria when creating Dynamic Admission Webhooks.

Writing these Admission Webhooks and controllers could be cumbersome and in order to treat policy decision making easy just like a Configuration rather than Code, there comes OPA(OpenPolicygent)

OPA is designed to decouple policy decision making from policy enforcement. enforcement can be done by the service, OPA will help in decision making.

A Cluster Admin then creates a ConstraintTemplate(a CRD) using which the other Admins can define individual CRDs(of the ConstraintTemplate kind defined earlier) describing constraints.

An Admin can also do audits on the cluster to identify if there are K8s objects which are violating the policy which the enterprise wants. Those violations can be seen under the violations section in the CRD.