K8s Admission control proxy.
"Gesher" means bridge in Hebrew.
Kubernetes has Admission Webhooks.
These enable administrators of a Kubernetes cluster to include their own set of admission control over Kubernetes objects.
The problem is that admission control as it works today, really just works at the cluster level. Every webhook admission service will get admission requests for every object in every namespace by default. In the world of namespaced operators this becomes a problem for 2 reasons.
as each operator might want to do admission control itself. In fact, the operator-sdk encourages building the admission control webhook HTTPs servers as part of the operator binary. This would result in many webhook servers getting sent many requests for objects not in their own namespace. While, one can create webhook that select based on a namspace's labels, these can be fragile as they are dependent on the labels always being setup correctly
to create a webhook, one needs cluster level privileges, which would mean that a user in a namespace can use a validating webhook to intercept all any object in any namespace. users within a namespace should be able to setup admission control juet for their namespace without any ability to impact other namespaces.
Gesher is a cluster level admission proxy, that is the single point for the kubernetes api-server to issue admission requests. In turn, Gesher proxies the request to the correct admission control https server in the correct namespace.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。