What happens exactly when we submit a manifest file to the Kubernetes master. We know that the API server handles the incoming request. But inside API below are the components which processes these requests. Only after validation of our requests by these components, the data will be written in etcd. Kubectl utility will convert the incoming yaml file into json format and then saves it in etcd.
- API Http Handler: Its like web server ready to receive http requests.
- Authentication: Kubernetes has two types of users. Normal users and service account. It checks should the user/service account are allowed to access the cluster or not.
- Authorization (RBAC): It checks whether the user can create, delete, update, list the given resources in cluster. If that user is not authenticated or do not have the roles assigned, then the request will be denied here. Once authenticated it moves to the next phase.
- Admission Controller: Is a powerful feature of kubernetes which controls what is going on into the cluster. They are extensions that processes API server requests before the object data is created in etcd. There are two phases of admission controller. Mutation admission controller and validation admission controller.
4a) Mutation Admission Controller: These admission controllers assess the API object and may add/modify the API object contents.
4b) Validation admission controller: They validates the API object contents.
How to Enable/Disable Admission controller:
# kube-apiserver –enable-admission-plugins=NamespaceLifecycle,LimitRanger
# kube-apiserver –disable-admission-plugins=PodNodeSelector,AlwaysDeny …
Advantages of Admission controller:
- PodSecurityPolicy: It takes care of creation and modification of pod and it determines whether the pod should be admitted based on the security policy.
- Namespace Lifecycle: It takes care of disabling the modification of system namespace, Requests made to non existing namespace are rejected.
- Default Storage Class: This controller handles PVC creation. It automatically adds default storage class.
- Default Toleration Seconds: It sets the toleration time for pods to tolerate any taints.
5) Schema Validation:
Sometimes the manifest file fails while applying because of the version mismatches between kubernetes and our manifest file. Schemas are the set of JSON files for various kubernetes versions extracted from the OPENAPI definitions.
Once the manifest file pass through all the above stages, the data is written in etcd (Key Value Store database).
