hands-on lab

Improving Kubernetes Security With Admission Controllers

Intermediate
45m
19
5/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

Admission controllers are a powerful feature of Kubernetes that allow you to enhance the security of the cluster. Admission controllers are the final stage of the Kubernetes API request processing pipeline before being accepted into the cluster. Kubernetes ships with several admission controllers are enabled by default, and additional ones can be enabled as needed. Examples of functionality that can be implemented with admission controllers include:

  • Enforcing resource quotas within Namespaces
  • Enforcing that container images are always pulled and come from trusted registries
  • Preventing certain types of denial of service incidents

You will explore two admission controllers in depth in this lab as case studies in Kubernetes admission control:

  1. The NamespaceAutoProvision admission controller automatically creates Namespaces when resources are attempted to be created in Namespaces that do not exist.
  2. The EventRateLimit admission controller can reduce the impact of new Events flooding the API server.

Learning objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Enable and disable Kubernetes admission controllers
  • Enable advanced admission controllers requiring additional configuration files
  • Use vi to edit Kubernetes API server manifests

Intended audience

  • Candidates for the Certified Kubernetes Security Specialist (CKS) exam
  • DevOps Engineers
  • Security Practitioners

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Kubernetes Pods
  • Kubernetes Volumes

The following content can be used to fulfill the prerequisites:

Updates

October 13th, 2023 - Updated Kubernetes version

 

Environment before
Environment after
About the author
Avatar
Logan Rakai
Lead Content Developer - Labs
Students
212,281
Labs
222
Courses
9
Learning paths
55

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics
Lab steps
Connecting to the Kubernetes Cluster
Reviewing Kubernetes Admission Controllers
Configuring Advanced Admission Controllers