Admission controllers

Admission controllers govern and enforce cluster usage. MKE 4k ships with all of the default admission controllers enabled for the Kubernetes version it is running.

Tip

For comprehensive information on admission controllers, refer to the official Kubernetes documentation.

MKE 4k ships with all default admission controllers enabled for the accompanying Kubernetes version. It also enables an additional admission controller, mke4-ucpauthz, the detail for which follows.

mke4-ucpauthz

MKE 4k implements the mke4-ucpauthz admission controller using a Validating Admission Policy. This admission controller prevents under-privileged users from creating or updating PersistentVolume resources with host paths. It also prevents under-privileged users from creating Pods with privileged options.

Configure the mke4.yaml configuration file with the snippet below to grant non-administrators and non-cluster-admins access to privileged attributes:

...
api:
  ucpauthz:
    disabled: false
    exemptUsers:
    - user1
    - system:serviceaccounts:myns:sa
    exemptNamespace:
    - myexemptns```

The following Pod options are considered to be privileged:

• hostipc - pod spec having hostIPC: true
• hostnet - pod spec having hostNetwork: true
• hostpid - pod spec having hostPID: true
• kernelCapabilities - pod spec with one or more [kernel] capabilities added
• privileged - pod spec with privileged: true

The admission controller automatically adds default exemptions for all Calico service accounts that Tigera Operator creates. In addition, an exemption is also created for the relevant service accounts if the Nvidia GPU has been enabled. This behavior allows for successful operation of the Calico CNI, based on tigera-operator, and the Nvidia GPU, respectively, without changing the security posture for other resources.