Reputation: 11
How to enable DefaultStorageClass admission controllers on a GKE cluster?
There are some great admission controllers such as DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize that enfoce some k8s best practices to your cluster.
In order to enable admission controller you must have admin access to the k8s api-server, but on GKE you don't have.
So how we can enable these admission controller in GKE?
Note: I saw few related questions raised in the past but with no answers like question3 and question4.
Upvotes: 0
Views: 960
Answers (1)
Reputation: 21
It's not possible to modify enabled admission controllers, as that would require modifying the --enable-admission-plugins API server configuration option, and that is not possible on GKE, nor are there any alternative ways to set this option at the moment.
Now, looking at each of the individual controllers mentioned:
DefaultStorageClass - this admission controller is enabled in GKE. You can check that the standard pre-created storage class has the
storageclass.kubernetes.io/is-default-class: "true"annotation. In order to use different SC as default, remove this annotation from the standard storage class, and add it to the SC of your choice.StorageObjectInUseProtection - this admission controller is enabled in GKE, you can observe that that
kubernetes.io/pv-protectionandkubernetes.io/pvc-protectionfinalizersare added to PVs, resp. PVCs, in use, preventing their deletion.PersistentVolumeClaimResize - this admission controller is also enabled in GKE. You can verify this by creating a storage class with
allowVolumeExpansion: falseannotation 1 (note the standard SC does allow expansion), create a PVC and try to increase it's size. You'll receive an error such as:error: persistentvolumeclaims "my-pvc" could not be patched: persistentvolumeclaims "my-pvc" is forbidden: only dynamically provisioned pvc can be resized and the storageclass that provisions the pvc must support resize
At last, if you would want to enable a controller that is actually not enabled on GKE, you would need to reimplement and deploy this as a standalone service into your cluster and use K8s' ValidatingWebhookConfiguration or MutatingWebhookConfiguration to connect K8s API your service via webhook 2. Apart from implementing this from scratch, there are many projects that can help, OPA Gatekeeper 3 and Metacontroller 4 to list some examples.
Upvotes: 2
Related Questions
- Container/GKE cluster: Force enable Web UI
- Kubernetes: how to add flags for kube-controller-manager in Google Kubernetes Engine (gke)
- Enable PodTolerationRestriction on gcloud k8s cluster
- Unable to override default Pod Security Policy in GKE
- GKE clusterrolebinding for cluster-admin fails with permission error
- Kubernetes - Unknown admission plugin: DefaultStorageClass
- Cannot create clusterrolebinding on fresh GKE cluster
- GKE Using gcePersistentDisk
- enable kubernetes authentication api on gke
- GKE v1.1.1 KubernetesSeedProvider NullPointerException