After the client application has been authenticated and allowed to carry out its task within the kubernetes cluster, the admission controller steps in to check if the operation could for example, have the potential of compromising the cluster.
To enable admission controllers, we could use the below command:
Below are some example of admission controllers that help our pods to run securely:
AlwaysPullImages : sets the image pull policy to "Always", and changes the default value. This will makes sure that kubernetes will pulling an "authentic" image from the repository as opposed to using a local one that might have been compromised.
DenyEscalatingExec : denies executing commands inside pods that are running with escalated privileges that allow free access to the hosts on which they arerunning.
PodSecurityPolicy : make sure that created pods adhere to the established security contexts - DAC, Linux capabilities, ... - and policies.
LimitRange and ResourceQuota : make sure the pod doesn't go overboard in terms of resource consumption. The limits are specified in the "LimitRange" and "ResourceQuota" object.
NodeRestriction : Limits what a kubelet can do in terms of modifying the pods and the nodes of the cluster. This admission controller can for example allow the kubelet to only modify its node and its pods - running on that node -. It can also prevents kubelets for modifying the "taints" of their nodes and labels.