Validate the admission controllers are working as expected
Check whether the admission controllers are working as expected.
This article is part of a series. Read the introduction here.
Issues because of admission controllers are an edge case but they should be considered. Here are some examples:
Mutating and validating webhooks. Be careful when you add mutating and validating webhooks in your cluster. Make sure that they're highly available so that an unhealthy node doesn't cause API server requests to be blocked. AKS Policy, also known as OPA Gatekeeper, is an example of this type of webhooks. If there are problems in the admission control pipeline, it can block a large number of requests to the API server.
Service meshes. They use admission controllers to automatically inject sidecars for example.
Tools
kubectl
These commands check if AKS Policy is running in your cluster and how to validate that all of the admission controllers are functioning as expected.
# Check AKS Policy pods are running.
kubectl get po -n gatekeeper-system
# Sample Output
...
NAME READY STATUS RESTARTS AGE
gatekeeper-audit-65844778cb-rkflg 1/1 Running 0 163m
gatekeeper-controller-78797d4687-4pf6w 1/1 Running 0 163m
gatekeeper-controller-78797d4687-splzh 1/1 Running 0 163m
...
If this command doesn't run as expected, it could indicate that an admission controller, API service, or CRD isn't functioning correctly.
# Check that all API Resources are working correctly.
kubectl api-resources
# Sample Output
...
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
...