Skip to content

Admission controllers#

Admission controllers govern and enforce cluster usage. MKE 4k ships with all of the default admission controllers enabled for the Kubernetes version it is running.

Tip

For comprehensive information on admission controllers, refer to the official Kubernetes documentation.

MKE 4k ships with all default admission controllers enabled for the accompanying Kubernetes version. It also enables an additional admission controller, mke4-ucpauthz, the detail for which follows.

mke4-ucpauthz admission controller#

MKE 4k implements the mke4-ucpauthz admission controller using a Validating Admission Policy. This admission controller prevents under-privileged users from creating or updating PersistentVolume resources with host paths. It also prevents under-privileged users from creating Pods with privileged options.

To configure and deploy the mke4-ucpauthz admission controller:

  1. Obtain the default mke4.yaml configuration file:

    mkectl init

  2. Configure the mke4.yaml configuration file to grant non-administrators and non-cluster-admins access to privileged attributes:

    ...
spec:
  apiServer:
    ucpauthz:
      noDefaultUserExemptions: false
      noDefaultNSExemptions: false
      disabled: false
      exemptUsers:
      - user1
      - system:serviceaccount:<namespace>:<name>
      exemptNamespaces:
      - myexemptns```
      valuesYaml: |
        disabled: false
        exempt:
          namespaces:
            - kube-system
          users:
            - system:serviceaccount:calico-system:calico-node
            - system:serviceaccount:tigera-operator:tigera-operator
    Parameter Description
    noDefaultUserExemptions Suppresses the automatic exemptions for Calico.

    noDefaultUserExemptions does not suppress NVIDIA GPU operator service accounts when GPU is enabled, though, as the code in newValues() guards Calico with the flag but appends GPU accounts unconditionally when GPU is enabled.

    Default: false (automatic exemptions are active).

    WARNING: Setting noDefaultUserExemptions to true without re-adding Calico's service accounts through exemptUsers breaks cluster networking. The accounts that are automatically exempted when this parameter is false are:
    • system:serviceaccount:calico-apiserver:calico-apiserver
    • system:serviceaccount:calico-apiserver:default
    • system:serviceaccount:calico-system:calico-cni-plugin
    • system:serviceaccount:calico-system:calico-kube-controllers
    • system:serviceaccount:calico-system:calico-node
    • system:serviceaccount:calico-system:calico-typha
    • system:serviceaccount:calico-system:csi-node-driver
    • system:serviceaccount:calico-system:default
    • system:serviceaccount:tigera-operator:default
    • system:serviceaccount:tigera-operator:tigera-operator
    When GPU is enabled, the following are also auto-exempted:
    • system:serviceaccount:mke:gpu-operator
    • system:serviceaccount:mke:nvidia-operator-validator
    noDefaultNSExemptions Suppresses the automatic namespace exemptions that the VAP normally applies by default.

    noDefaultNSExemptions is declared in the API structure but is never read in newValues(). Thus, it has no effect on the rendered Helm values. Either the implementation is incomplete, or the namespace exemptions are injected entirely inside the Helm chart.

    Default: false (automatic namespace exemptions are active).

    WARNING: Setting noDefaultNSExemptions to true without re-adding required namespaces through exemptNamespaces can break system workloads that depend on those exemptions.
    disabled
    exemptUsers Re-add only the exampt users that your cluster actually needs when either noDefaultUserExemptions or noDefaultNSExemptions is true.
    exemptNamespaces Re-add only the exampt namespaces that your cluster actually needs when either noDefaultUserExemptions or noDefaultNSExemptions is true.
    valuesYaml valuesYaml passes its content verbatim as the Helm chart values for mke4-ucpauthz. When set, ALL computed logic is bypassed, and exemptUsers, exemptNamespaces, noDefaultUserExemptions, noDefaultNSExemptions, and the automatic Calico/GPU service-account appending are ALL ignored.

    Use valuesYaml only when the structured fields are insufficient, as mistakes that occur will produce no validation error and will silently misconfigure the VAP.

    Note: The value must be valid YAML that matches the ucpauthz chart values schema.

  3. Apply the configuration:

    mkectl apply -f mke4.yaml

Privileged Pod options#

The following Pod options are considered to be privileged:

  • hostipc - pod spec having hostIPC: true
  • hostnet - pod spec having hostNetwork: true
  • hostpid - pod spec having hostPID: true
  • kernelCapabilities - pod spec with one or more [kernel] capabilities added
  • privileged - pod spec with privileged: true

The admission controller automatically adds default exemptions for all Calico service accounts that Tigera Operator creates. In addition, an exemption is also created for the relevant service accounts if the Nvidia GPU has been enabled. This behavior allows for successful operation of the Calico CNI, based on tigera-operator, and the Nvidia GPU, respectively, without changing the security posture for other resources.