Enable admission control¶
Kubernetes Admission Control is a security mechanism running as a webhook at runtime. It intercepts and modifies requests to ensure the cluster's security. Admission webhooks involve two main operations: validation and mutation. NebulaGraph Operator supports only validation operations and provides some default admission control rules. This topic describes NebulaGraph Operator's default admission control rules and how to enable admission control.
Prerequisites¶
A NebulaGraph cluster is created with NebulaGrpah Operator. For detailed steps, see Create a NebulaGraph cluster.
Admission control rules¶
Kubernetes admission control allows you to insert custom logic or policies before Kubernetes API Server processes requests. This mechanism can be used to implement various security policies, such as restricting a Pod's resource consumption or limiting its access permissions. NebulaGraph Operator supports validation operations, which means it validates and intercepts requests without making changes.
After admission control is enabled, NebulaGraph Operator implements the following admission validation control rules by default. You cannot disable these rules:
- Forbid adding additional PVs to Storage service via
dataVolumeClaims
.
- Forbid shrinking the capacity of all service's PVCs, but allow expansion.
- Forbid any secondary operation during Storage service scale-in/scale-out.
After admission control is enabled, NebulaGraph Operator allows you to add annotations to implement the following admission validation control rules:
-
Clusters with the
ha-mode
annotation must have the minimum number of replicas as required by high availability mode:- For Graph service: At least 2 replicas are required.
- For Meta service: At least 3 replicas are required.
- For Storage service: At least 3 replicas are required.
Note
High availability mode refers to the high availability of NebulaGraph cluster services. Storage and Meta services are stateful, and the number of replicas should be an odd number due to Raft protocol requirements for data consistency. In high availability mode, at least 3 Storage services and 3 Meta services are required. Graph services are stateless, so their number of replicas can be even but should be at least 2.
- Clusters with the
delete-protection
annotation cannot be deleted. For more information, see Configure deletion protection.
TLS certificates for admission webhooks¶
To ensure secure communication and data integrity between the K8s API server and the admission webhook, this communication is done over HTTPS by default. This means that TLS certificates are required for the admission webhook. cert-manager is a Kubernetes certificate management controller that automates the issuance and renewal of certificates. NebulaGraph Operator uses cert-manager to manage certificates.
Once cert-manager is installed and admission control is enabled, NebulaGraph Operator will automatically create an Issuer for issuing the necessary certificate for the admission webhook, and a Certificate for storing the issued certificate. The issued certificate is stored in the nebula-operator-webhook-secret
Secret.
Steps of enabling admission control¶
-
Install cert-manager.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml
It is suggested to deploy the latest version of cert-manager. For details, see the official cert-manager documentation.
-
Modify the NebulaGraph Operator configuration file to enable admission control. Admission control is disabled by default and needs to be enabled manually.
# Check the current configuration helm show values nebula-operator/nebula-operator
# Modify the configuration by setting `enableAdmissionWebhook` to `true`. helm upgrade nebula-operator nebula-operator/nebula-operator --set enableAdmissionWebhook=true
Note
nebula-operator
is the name of the chart repository, andnebula-operator/nebula-operator
is the chart name. If the chart's namespace is not specified, it defaults todefault
. -
View the certificate Secret for the admission webhook.
kubectl get secret nebula-operator-webhook-secret -o yaml
If the output includes certificate contents, it means that the admission webhook's certificate has been successfully created.
-
Verify the control rules.
-
Verify preventing additional PVs from being added to Storage service.
$ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"dataVolumeClaims":[{"resources": {"requests": {"storage": "2Gi"}}, "storageClassName": "local-path"},{"resources": {"requests": {"storage": "3Gi"}}, "storageClassName": "fask-disks"}]}}}' Error from server: admission webhook "nebulaclustervalidating.nebula-graph.io" deniedthe request: spec.storaged.dataVolumeClaims: Forbidden: storaged dataVolumeClaims is immutable
-
Verify disallowing shrinking Storage service's PVC capacity.
$ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"dataVolumeClaims":[{"resources": {"requests": {"storage": "1Gi"}}, "storageClassName": "fast-disks"}]}}}' Error from server: admission webhook "nebulaclustervalidating.nebula-graph.io" denied the request: spec.storaged.dataVolumeClaims: Invalid value: resource.Quantity{i:resource.int64Amount{value:1073741824, scale:0}, d:resource.infDecAmount{Dec:(*inf.Dec)(nil)}, s:"1Gi", Format:"BinarySI"}: data volume size can only be increased
-
Verify disallowing any secondary operation during Storage service scale-in.
$ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"replicas": 5}}}' nebulacluster.apps.nebula-graph.io/nebula patched $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"replicas": 3}}}' Error from server: admission webhook "nebulaclustervalidating.nebula-graph.io" denied the request: [spec.storaged: Forbidden: field is immutable while in ScaleOut phase, spec.storaged.replicas: Invalid value: 3: field is immutable while not in Running phase]
-
Verify the minimum number of replicas in high availability mode.
# Annotate the cluster to enable high availability mode. $ kubectl annotate nc nebula nebula-graph.io/ha-mode=true # Verify the minimum number of the Graph service's replicas. $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"graphd": {"replicas":1}}}' Error from server: admission webhook "nebulaclustervalidating.nebula-graph.io" denied the request: spec.graphd.replicas: Invalid value: 1: should be at least 2 in HA mode
- Verify deletion protection. For more information, see Configure deletion protection.
-