Admission Controller 관리 및 작동 확인

1 개요[ | ]

Admission Controller 관리 및 작동 확인

2 시나리오[ | ]

Admission Controller Plugin 전체 목록 조회
  • kube-apiserver 매니페스트에 활성화된, 모든 Admission Controller Plugin들을 /root/admission-plugins에 쓰기
Admission Controller Plugin 활성화
  • Admission Controller Plugin MutatingAdmissionWebhook 활성화
Admission Controller Plugin 비활성화
  • 네임스페이스 space1 삭제
  • 네임스페이스 default 삭제 (오류 발생)

3 실습[ | ]

Admission Controller Plugin 전체 목록 조회
$ cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep admission-plugins
    - --enable-admission-plugins=NodeRestriction,LimitRanger,Priority
$ vi /root/admission-plugins
NodeRestriction
LimitRanger
Priority
Admission Controller Plugin 활성화
$ cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/kube-apiserver.yaml
$ vi /etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.30.1.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction,LimitRanger,Priority,MutatingAdmissionWebhook
    ...
$ k get pod -n kube-system | grep kube-apiserver
NAME                                       READY   STATUS    RESTARTS       AGE
kube-apiserver-controlplane                1/1     Running   0              10s
$ crictl ps | grep kube-apiserver
21922e0e521a9       c42f13656d0b2       About a minute ago   Running             kube-apiserver            0                   0efa807965a57       kube-apiserver-controlplane
Admission Controller Plugin 비활성화
$ k delete ns space1
namespace "space1" deleted
$ k delete ns default
Error from server (Forbidden): namespaces "default" is forbidden: this namespace may not be deleted
$ cp /etc/kubernetes/manifests/kube-apiserver.yaml ~/kube-apiserver.yaml
$ vi /etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.30.1.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction,LimitRanger,Priority,MutatingAdmissionWebhook
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --disable-admission-plugins=NamespaceLifecycle
    ...
$ crictl ps | grep kube-apiserver
c7075bbdd81f5       c42f13656d0b2       5 seconds ago       Running             kube-apiserver            0                   4c5c4f079d26d       kube-apiserver-controlplane
$ k delete ns default
namespace "default" deleted
$ k get ns
NAME                 STATUS   AGE
kube-node-lease      Active   25d
kube-public          Active   25d
kube-system          Active   25d
local-path-storage   Active   25d
space2               Active   16m
문서 댓글 ({{ doc_comments.length }})
{{ comment.name }} {{ comment.created | snstime }}