Skip to content

Enable admission control

Kubernetes Admission Control is a security mechanism running as a webhook at runtime. It intercepts and modifies requests to ensure the cluster's security. Admission webhooks involve two main operations: validation and mutation. NebulaGraph Operator supports only validation operations and provides some default admission control rules. This topic describes NebulaGraph Operator's default admission control rules and how to enable admission control.


A NebulaGraph cluster is created with NebulaGrpah Operator. For detailed steps, see Create a NebulaGraph cluster.

Admission control rules

Kubernetes admission control allows you to insert custom logic or policies before Kubernetes API Server processes requests. This mechanism can be used to implement various security policies, such as restricting a Pod's resource consumption or limiting its access permissions. NebulaGraph Operator supports validation operations, which means it validates and intercepts requests without making changes. NebulaGraph Operator's default admission validation control rules include:

  • Ensuring the minimum number of replicas in high availability mode:

    • For Graph service: At least 2 replicas are required.
    • For Meta service: At least 3 replicas are required.
    • For Storage service: At least 3 replicas are required.


    High availability mode refers to the high availability of NebulaGraph cluster services. Storage and Meta services are stateful, and the number of replicas should be an odd number due to Raft protocol requirements for data consistency. In high availability mode, at least 3 Storage services and 3 Meta services are required. Graph services are stateless, so their number of replicas can be even but should be at least 2.

  • Preventing additional PVs from being added to Storage service via dataVolumeClaims.
  • Disallowing shrinking the capacity of all service's PVCs, but allowing expansion.
  • Forbidding any secondary operation during Storage service scale-in/scale-out.

TLS certificates for admission webhooks

To ensure secure communication and data integrity between the K8s API server and the admission webhook, this communication is done over HTTPS by default. This means that TLS certificates are required for the admission webhook. cert-manager is a Kubernetes certificate management controller that automates the issuance and renewal of certificates. NebulaGraph Operator uses cert-manager to manage certificates.

Once cert-manager is installed and admission control is enabled, NebulaGraph Operator will automatically create an Issuer for issuing the necessary certificate for the admission webhook, and a Certificate for storing the issued certificate. The issued certificate is stored in the nebula-operator-webhook-secret Secret.

Steps of enabling admission control

  1. Install cert-manager.

    kubectl apply -f

    It is suggested to deploy the latest version of cert-manager. For details, see the official cert-manager documentation.

  2. Modify the NebulaGraph Operator configuration file to enable admission control. Admission control is disabled by default and needs to be enabled manually.

    # Check the current configuration
    helm show values nebula-operator/nebula-operator
    # Modify the configuration by setting `enableAdmissionWebhook` to `true`.
    helm upgrade nebula-operator nebula-operator/nebula-operator --set enableAdmissionWebhook=true


    nebula-operator is the name of the chart repository, and nebula-operator/nebula-operator is the chart name. If the chart's namespace is not specified, it defaults to default.

  3. View the certificate Secret for the admission webhook.

    kubectl get secret nebula-operator-webhook-secret -o yaml

    If the output includes certificate contents, it means that the admission webhook's certificate has been successfully created.

  4. Verify the control rules.

    • Verify the minimum number of replicas in high availability mode.

      # Annotate the cluster to enable high availability mode.
      $ kubectl annotate nc nebula
      # Verify the minimum number of the Graph service's replicas.
      $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"graphd": {"replicas":1}}}'
      Error from server: admission webhook "" denied the request: spec.graphd.replicas: Invalid value: 1: should be at least 2 in HA mode
    • Verify preventing additional PVs from being added to Storage service.

      $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"dataVolumeClaims":[{"resources": {"requests": {"storage": "2Gi"}}, "storageClassName": "local-path"},{"resources": {"requests": {"storage": "3Gi"}}, "storageClassName": "fask-disks"}]}}}'
      Error from server: admission webhook "" deniedthe request: spec.storaged.dataVolumeClaims: Forbidden: storaged dataVolumeClaims is immutable
    • Verify disallowing shrinking Storage service's PVC capacity.

      $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"dataVolumeClaims":[{"resources": {"requests": {"storage": "1Gi"}}, "storageClassName": "fast-disks"}]}}}'
      Error from server: admission webhook "" denied the request: spec.storaged.dataVolumeClaims: Invalid value: resource.Quantity{i:resource.int64Amount{value:1073741824, scale:0}, d:resource.infDecAmount{Dec:(*inf.Dec)(nil)}, s:"1Gi", Format:"BinarySI"}: data volume size can only be increased
    • Verify disallowing any secondary operation during Storage service scale-in.

      $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"replicas": 5}}}' patched
      $ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"replicas": 3}}}'
      Error from server: admission webhook "" denied the request: [spec.storaged: Forbidden: field is immutable while in ScaleOut phase, spec.storaged.replicas: Invalid value: 3: field is immutable while not in Running phase]

Last update: November 15, 2023