How to obtain the enable admission controller list in kubernetes?
The kube-apiserver is running in your kube-apiserver-< example.com > container.The application does not have a get method at the moment to obtain the enabled admission plugins, but you can get the startup parameters from its command line.
kubectl -n kube-system describe po kube-apiserver-example.com
Another way, to see what is in the container: unfortunately there is no "ps" command in the container, but you can get the initial process command parameters from /proc , something like that:
kubectl -n kube-system exec kube-apiserver-example.com -- sed 's/--/\n/g' /proc/1/cmdline
It will be probably like :
enable-admission-plugins=NodeRestriction
There isn't an admissionscontroller k8s object exposed directly in kubectl
.
To get a list of admissions controllers, you have to hit the k8s master API directly with the right versions supported by your k8s installation:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq
For our environment, we run open policy agent as an admissions controller and we can see the webhook object here:
kubectl get --raw /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations | jq '.items[] | select(.metadata.name=="open-policy-agent-latest-helm-opa")'
Which outputs the JSON object:
{ "metadata": { "name": "open-policy-agent-latest-helm-opa", "selfLink": "/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/open-policy-agent-latest-helm-opa", "uid": "02139b9e-b282-4ef9-8017-d698bb13882c", "resourceVersion": "150373119", "generation": 93, "creationTimestamp": "2021-03-18T06:22:54Z", "labels": { "app": "open-policy-agent-latest-helm-opa", "app.kubernetes.io/managed-by": "Helm", "chart": "opa-1.14.6", "heritage": "Helm", "release": "open-policy-agent-latest-helm-opa" }, "annotations": { "meta.helm.sh/release-name": "open-policy-agent-latest-helm-opa", "meta.helm.sh/release-namespace": "open-policy-agent-latest" }, "managedFields": [ { "manager": "Go-http-client", "operation": "Update", "apiVersion": "admissionregistration.k8s.io/v1beta1", "time": "2021-03-18T06:22:54Z", "fieldsType": "FieldsV1", "fieldsV1": { "f:metadata": { "f:annotations": { ".": {}, "f:meta.helm.sh/release-name": {}, "f:meta.helm.sh/release-namespace": {} }, "f:labels": { ".": {}, "f:app": {}, "f:app.kubernetes.io/managed-by": {}, "f:chart": {}, "f:heritage": {}, "f:release": {} } }, "f:webhooks": { ".": {}, "k:{\"name\":\"webhook.openpolicyagent.org\"}": { ".": {}, "f:admissionReviewVersions": {}, "f:clientConfig": { ".": {}, "f:caBundle": {}, "f:service": { ".": {}, "f:name": {}, "f:namespace": {}, "f:port": {} } }, "f:failurePolicy": {}, "f:matchPolicy": {}, "f:name": {}, "f:namespaceSelector": { ".": {}, "f:matchExpressions": {} }, "f:objectSelector": {}, "f:rules": {}, "f:sideEffects": {}, "f:timeoutSeconds": {} } } } } ] }, "webhooks": [ { "name": "webhook.openpolicyagent.org", "clientConfig": { "service": { "namespace": "open-policy-agent-latest", "name": "open-policy-agent-latest-helm-opa", "port": 443 }, "caBundle": "LS0BLAH=" }, "rules": [ { "operations": [ "*" ], "apiGroups": [ "*" ], "apiVersions": [ "*" ], "resources": [ "namespaces" ], "scope": "*" } ], "failurePolicy": "Ignore", "matchPolicy": "Exact", "namespaceSelector": { "matchExpressions": [ { "key": "openpolicyagent.org/webhook", "operator": "NotIn", "values": [ "ignore" ] } ] }, "objectSelector": {}, "sideEffects": "Unknown", "timeoutSeconds": 20, "admissionReviewVersions": [ "v1beta1" ] } ]}
You can see from above the clientConfig
endpoint in k8s which is what the admissions payload is sent to. Tail the logs of the pods that serve that endpoint and you'll see your admissions requests being processed.
To get mutating webhooks, hit the version of the API of interest again:
# get v1 mutating webhook configurationskubectl get --raw /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations | jq
You may find the list of default enabled admission controllers in doc:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options, search for "--enable-admission-plugins";or equivalently in code:https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/options/plugins.go#L131-L145
For customized ones, you may run cmd in any master node:cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep -E "(enable|disable)-admission-plugins"
.