# Admission Controller

This feature is currently in beta

Fairwinds Insights can also run as an Admission Controller - it will reject any Kubernetes resources from entering your cluster if they don't conform to your organization's policies.

# Requirements

The default installation requires cert-manager (opens new window) v1.0 or greater.

If you don't have cert-manager, or if you'd like to provide your own certificate for the webhook, you can use the caBundle and secretName parameters to pass a CA Bundle and the location of a TLS certificate stored in your cluster.

# Installation

To use the Admission Controller and install it on your cluster, navigate to the Report Hub (opens new window) and select "Admission Controller". (You will need to re-install the Helm chart after selecting the Admission Controller.)

Once installed, you can test it out by creating a deployment that creates a danger Action Item by allowing privilige escalation:

bad-config.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: busybox-deployment
  namespace: testing
spec:
  replicas: 1
  selector:
    matchLabels:
      app: busybox
  template:
    metadata:
      labels:
        app: busybox
    spec:
      containers:
      - name: busybox
        image: busybox:1.32
        securityContext:
          allowPrivilegeEscalation: true

kubectl create ns testing
kubectl apply -f bad-config.yaml

You should see a message saying:

Error from server (Privilege escalation should not be allowed: Failure: true): error when creating "STDIN": admission webhook "insights.fairwinds.com" denied the request: Privilege escalation should not be allowed: Failure: true

# Resources

By default, the Admission Controller will monitor the following resources:

apps/(v1|v1beta1|v1beta2)
- Deployments
- DaemonSets
- StatefulSets
batch/(v1|v1beta1)
- Jobs
- CronJobs
core/v1
- Pods
- ReplicationControllers

If you'd like to add additional resources, you can use the rules setting on the Helm chart:

rules:
- apiGroups:
  - custom
  apiVersions:
  - v1
  operations:
  - CREATE
  - UPDATE
  resources:
  - customResource
  scope: Namespaced

# Configuration

You can fine-tune which checks are applied by the admission controller. Any check with a danger severity will instruct the Admission Controller to deny the deployment.

Specifically, the following auditing tools can be enabled or disabled as part of admission control:

Polaris - checks for security and best practices
OPA - apply custom policies to resources (see docs)
Pluto - disallow resources that have been deprecated

IMPORTANT: By default, each of these auditing tools are enabled in Admission Controller when you first set it up. Polaris, which has some out-of-the-box checks that default to danger, may cause some deployments to fail. See the Polaris section below for more information.

To enable or disable a particular report, run:

curl -X POST https://insights.fairwinds.com/v0/organizations/$org/admission/reports/$report \
  -H "Authorization: Bearer $token" \
  -d '{"enabled": false}'

where:

$report is one of polaris, opa, or pluto
$org is your organization's name in Insights
$token is the admin token found on your organization settings page

# Polaris

You can also upload a custom Polaris configuration (opens new window) to set which checks are marked as danger, and will therefore cause a workload to be rejected.

IMPORTANT: For a list of Polaris checks that default to danger, and therefore will cause the Admission Controller to deny a deployment, please see:

Security (opens new window) checks (e.g., securityContext.privileged, securityContext.capabilities, securityContext.allowPrivilegeEscalation)

Efficiency (opens new window) checks

Reliability (opens new window) checks (e.g., when an image tag is either not specified or latest.)

You can also use the Polaris configuration to write custom checks using JSON Schema (opens new window)

curl -X POST https://insights.fairwinds.com/v0/organizations/$org/admission/reports/polaris/config \
  -H "Authorization: Bearer $token" \
  -H "Content-Type: text/yaml" \
  -d @polaris-config.yaml

# OPA

To create custom OPA policies for your organization, see the OPA docs. To reject a resource, you'll need to ensure that your OPA policy generates an Action Item with severity >= 0.67.

# Using Automation Rules to Customize Admission Controller

Fairwinds provides a powerful, flexible solution for fine-grained customization of Admission Controller actions with the Automation Rules (opens new window) feature.

For example, first time users of Admission Controller may want to monitor all activities, but not yet deny any deployments.

To do this, you can create Automation Rule (opens new window) with the following settings:

Context: Admission Controller
Report: All
Cluster: All
Action: ActionItem.Severity = 0.1;

NOTE: Any severity value >.66 is automatically considered a danger severity. Anything <=.66 is considered a warning severity.

When this is enabled, the Admission Controller will automatically consider all checks to be warning, and therefore allow all deployments to pass into the cluster.

← Continuous Integration Automation Rules →