kubeadm with admission webhooks

Question

I have the following conf

cat kubeadm-conf.yaml 

apiVersion: kubeadm.k8s.io/v1beta1
kind: InitConfiguration
apiServerExtraArgs:
  enable-admission-plugins: NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
networking:
  podSubnet: 192.168.0.0/16

but, when I do

ps -aux | grep admission
root     20697  7.4  2.8 446916 336660 ?       Ssl  03:49   0:21 kube-apiserver --authorization-mode=Node,RBAC --advertise-address=10.0.2.15 --allow-privileged=true --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction

I only see the NodeRestriction

Please, let me know if anyone can help me make sure that the admission-webhook is indeed running on my cluster.

Answer 1

Thanks for the reply, even that works, posting the kubeadm answer just in case anyone needs it, following is the right kubeadm config:

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
networking:
  podSubnet: 192.168.0.0/16
apiServer:
  extraArgs:
    enable-admission-plugins: "NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook"

Answer 2

I assume that MutatingAdmissionWebhook and ValidatingAdmissionWebhook have not being properly propagated through api-server as per your provided outputs.

I suggest to proceed with the following steps to achieve your goal:

1. Check and edit /etc/kubernetes/manifests/kube-apiserver.yaml manifest file by adding required admission control plugins to enable-admission-plugins Kubernetes API server flag:

--enable-admission-plugins=NodeRestriction,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook

2. Delete current kube-apiserver Pod and wait until Kubernetes will respawn the new one with reflected changes:

kubectl delete pod <kube-apiserver-Pod> -n kube-system

Hope it will help you, I've successfully checked these steps on my environment.

More information about Kubernetes Admission Controllers you can find in the official documentation.