Working with Kubernetes Admission Controllers

45 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Kubernetes admission controllers act as gatekeepers by accepting or rejecting requests and can even alter (or mutate) requests to comply to the configuration set in the controller. In this hands-on lab, you will be challenged to enable an admission controller, create a new admission controller resource, edit existing resources, and deploy pods to the cluster while observing the impact the admission controllers have on the pods.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Enable and Disable Admission Controllers
  • Use a text editor to modify the kube-apiserver.yaml file.
    • Enable the ResourceQuota admission controller.
    • Disable the MutatingAdmissionWebhook admission controller.
  • Validate that the kube-apiserver pod redeploys successfully by issuing a simple kubectl command (the pod can take several seconds to redeploy).
Create and Edit Admission Controller Resources
  • Use the kubectl command to edit the LimitRange object in the dev namespace.
    • Update the default CPU limit to be 500m and the memory limit to be 512Mi.
    • Update the default CPU request to be 250m and the memory request to be 128Mi.
  • Create and deploy a ResourceQuota object to the test namespace using the following steps:

    • Create a manifest file called test-quota.yaml with the following specifications:

    Note: Performing a copy paste directly from the objective will result in additional spaces being added. To remove additional spaces, either copy to a text editor on your computer before copying to the file on the host or manually remove the spaces once you have copied the file.

    apiVersion: v1
    kind: ResourceQuota
    name: test-quota
    namespace: test
    requests.memory: 128Mi
    requests.cpu: 250m
    limits.memory: 512Mi
    limits.cpu: "1"
    • Use kubectl to deploy the manifest file.
Deploy Pods to the Cluster
  • View the contents of the nginx-pod.yaml file in the /home/cloud_user directory (take note of any memory requests or limits, if they appear).
    • Use the kubectl command to deploy the manifest.
    • Use the kubectl command to print information about the pod in YAML format (pay attention to the requests and limits for memory and CPU).
  • Edit the nginx-pod.yaml file and change the namespace to test and attempt to deploy the pod (take note of any output you receive).
  • Edit the nginx-pod.yaml file and redeploy it to the test namespace.
    • Under the containers section, add a section for resources.
    • Under resources, add a section for limits and set memory to 256Mi and cpu to 500m.
    • Under resources, add a section for requests and set memory to 64Mi and cpu to 125m.
    • Use the kubectl command to deploy the nginx-pod.yaml (take note of any output).
    • Use the kubectl command to print information about the pod in YAML format (view the requests and limits).

Additional Resources


You are a DevOps engineer and have been tasked with configuring some admission controllers to help govern some of the namespaces in your Kubernetes cluster. To accomplish this, you will need to enable the ResourceQuota controller to help control resource usage and disable MutatingAdmissionWebhook due to some security concerns. Then, you need to edit the LimitRange resource in the dev namespace and create a ResourceQuota resource for the test namespace. Finally, you will need to deploy a pod to both the dev and test namespaces to validate that the admission controllers are functioning as expected.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?