With over thirty admission controllers supported, this article goes into some of the details for the controllers that can be used for running containers securely.

Kubernetes supports over 30 Admission Controllers. Subsequent to Authorization and Authentication, Admission Controllers are the final step in a 3-step process before Kubernetes persists the resource in etcd (a consistent and highly-available key value store used as Kubernetes’ backing store for all cluster data). Some relevant Admission Controllers to secure running containers are:

• **PodSecurityPolicy: **this option implements pod admission based on security context and available policies.
• **DenyEscalatingExec: **when hackers open shells in privileged containers, they have access to the host. This option ensures that exec and attach commands from privileged containers are blocked.
• **AlwaysPullImages: **while there is a performance advantage to storing and reusing image on a node, hygiene and the assurance that you always run up-to-date container images may be important. Since vulnerabilities are patched upstream, pulling images ensures that the latest remediation are always downloaded.
• **LimitRange and ResourceQuota: **to prevent denial of service attacks, and any spawning of unauthorized processes from established pods, this option observes incoming requests for violation of these limits.
• **NodeRestriction: **this limits the permissions of each kubelet, ensuring that it can only modify pods that are bound to it and its own Node object.

#cloud #docker #kubernetes #cloud native #admission controller