New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EKS] [request]: Allow specifying which admission controllers are enabled #739
Comments
It should be possible to enable the ExtendedResourceToleration admission controller, which is according to https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/#example-use-cases the recommended way to restrict GPU nodes to pods that need them. |
Yes this is essential to allowing Spark users to schedule GPUs on EKS since Spark 2.4 does not provide a way to modify the Kubernetes operations manually. |
@mikestef9 anything we can do to bump this issue ? |
We will be enabling the ExtendedResourceToleration admission controller with the upcoming 1.19 launch. Are there any other admission controllers you are interested in? |
@mikestef9 I would also like to see |
I want the AlwaysPullImages controller so our multi-tenant dev clusters are more secure, and so I don't have to add |
We are interested in the following two admission controllers as used together allow for explicit inherited and enforced placement of workloads at the namespace level. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector Adding the labels to the namespace the restricts all resources in the namespace to the target nodegroup and will cause them to be inherited so teams do not have to work about this. With the additional use of taints on the nodegroups we get guarantees on workloads not being able to drift from the targeted capacity. |
Our use-case is similar to @joshpaul-okta. We'd really like to be able to use the Being able to add tolerations to pods by namespace configuration would make this go from being a real nightmare of a problem, to something I never think about. |
@mikestef9 |
This is desirable for security for a few reasons:
We've been waiting for this for almost 3 years now. I suppose it鈥檚 not as critical for me in particular now that we have separate clusters per team... And it鈥檚 definitely more profitable for AWS to push people towards a cluster-per-team paradigm, instead of making it easier to have efficient, secure multi-tenant clusters. Are we ever going to see this feature added? |
Another usecase is enforcing Pod Security Standards compliance clusterwide: https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ |
The admission controllers mentioned in the comments are
I wonder how many of these requests can be resolved by the ValidatingAdmissionPolicy that is alpha in 1.26? In addition, there is a request to support configuring the PodSecurity admission controller that is enabled by default in 1.25. This should be a separate issue? Relates to #512 |
Here's something interesting in 1.28 when upstream kubernetes ships it ..
Bringing this up since some of those admission controllers stuck in alpha for a VERY long time won't make it into beta. So CEL is the new way to give folks a way to do what they would like to do without touching the API server itself. See kubernetes/kubernetes#117837 on a PR to deprecate and eventually remove PodNodeSelector and PodTolerationRestriction. That PR will land when kubernetes master branch opens up for 1.29 work. |
Community Note
Tell us about your request
When I create an EKS cluster, I'd like to specify which of the compiled-in admission controllers are enabled.
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
According to the documentation, there is an immutable list of admission controllers that are enabled by default for each EKS version. I'd like to use the AlwaysPullImages admission controller without using dynamic admission control.
Are you currently working around this issue?
Since the AlwaysPullImages is the only admission controller for which I'd like to have this, I use immutable image tags.
The text was updated successfully, but these errors were encountered: