Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Using admission controller enforcement

Red Hat Advanced Cluster Security for Kubernetes works with Kubernetes admission controllers and OpenShift Container Platform admission plugins to allow you to enforce security policies before Kubernetes or OpenShift Container Platform creates workloads, for example, deployments, daemon sets or jobs.

The RHACS admission controller prevents users from creating workloads that violate policies you configure in RHACS. Beginning from the RHACS version 3.0.41, you can also configure the admission controller to prevent updates to workloads that violate policies.

RHACS uses the ValidatingAdmissionWebhook controller to verify that the resource being provisioned complies with the specified security policies. To handle this, RHACS creates a ValidatingWebhookConfiguration which contains multiple webhook rules.

When the Kubernetes or OpenShift Container Platform API server receives a request that matches one of the webhook rules, the API server sends an AdmissionReview request to RHACS. RHACS then accepts or rejects the request based on the configured security policies.

Note

To use admission controller enforcement on OpenShift Container Platform, you need the Red Hat Advanced Cluster Security for Kubernetes version 3.0.49 or newer.

If you intend to use admission controller enforcement, consider the following:

  • API latency: Using admission controller enforcement increases Kubernetes or OpenShift Container Platform API latency because it involves additional API validation requests. Many standard Kubernetes libraries, such as fabric8, have short Kubernetes or OpenShift Container Platform API timeouts by default.

    Consider API timeouts in any custom automation you might be using. If a request does time out due to latency issues, you can configure if the admission controller will fail open, allowing the request to reach the API server, or fail closed, blocking the requested operation. This setting is configured during installation and you can verify the setting by selecting Platform Configuration Clusters and checking the Admission controller failure policy.

  • If you are using RHACS in a continuous development (CD) tool, set the admission controller failure policy to fail closed, so that your CD tool handles the enforcement.

  • You can use admission controller enforcement for the following items:

    • Options in the pod securityContext
    • Deployment configurations
    • Image components and vulnerabilities
    • User-initiated container commands such as pod exec and port forward
  • If you have deploy stage enforcement enabled for a policy and you enable the admission controller, RHACS attempts to block deployments that violate the policy. If a noncompliant deployment is not rejected by the admission controller, for example, in case of a timeout, RHACS still applies other deploy stage enforcement mechanisms, such as scaling to zero replicas.

5.2. Enabling admission controller enforcement
Copy link

You can enable admission controller enforcement from the Clusters view when you install Sensor or edit an existing cluster configuration.

  1. When installing a cluster by using the Operator, Helm, or roxctl CLI methods, follow the instructions in "Installing Secured Cluster services for RHACS on Red Hat OpenShift" and "Installing Secured Cluster services for RHACS on other platforms" to enable admission controller enforcement during installation.

  2. When installing a cluster by using the legacy installation method, follow these steps:

    1. In the RHACS portal, select Platform Configuration Clusters.
    2. Click Secure a cluster Legacy installation method.
    3. In the Dynamic configuration (syncs with Sensor) section, in the Admission controller enforcement behavior field, select Enforce policies.
    4. Select Next.
    5. Select Finish. RHACS automatically synchronizes the admission controller and applies the changes.

Verification

  • The ValidatingWebhookConfiguration Kubernetes resource contains information about enforcement configuration behavior. The configuration settings are available in the admission controller logs.

5.3. Bypassing admission controller enforcement
Copy link

To configure a deployment to bypass the admission controller, you must set the admission.stackrox.io/break-glass annotation on the deployment. Bypassing the admission controller triggers a violation of the "StackRox Emergency Deployment Annotation" policy, which includes deployment details.

To help others understand why you bypassed the admission controller, use an issue-tracker link or some other reference as the value of this annotation.

Prerequisites

  • You have enabled the ability to bypass the admission controller on the secured cluster by using one of the following options:

    • Operator: You set the admissionControl.bypass parameter to BreakGlassAnnotation.
    • Helm: You set the admissionControl.dynamic.disableBypass parameter to false.
    • RHACS portal: You set the option in Platform Configuration Clusters Admission controller bypass annotation to Enabled.

Procedure

  1. Create a deployment YAML that includes the admission.stackrox.io/break-glass annotation, as shown in the following example: 

    apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    "admission.stackrox.io/break-glass": "jira-3423"
  creationTimestamp: "2025-03-07T03:18:21Z"
  generation: 1
  labels:
    app: hello-node
  name: hello-node
  namespace: test-bypass-adm
...

    where:

    metadata.annotations.admission.stackrox.io/break-glass
    Specifies a change control reference or relevant explanation for why the admission controller was bypassed.

5.4. Disabling admission controller enforcement
Copy link

You can disable admission controller enforcement on a cluster when installing RHACS. For clusters that you did not install by using the Operator or Helm, you can disable admission controller enforcement from the Clusters view on the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal.

Procedure

  1. For a cluster that was installed by using the Operator, in the SecuredCluster custom resource (CR), edit the spec.admissionControl.enforcement parameter to Disabled.

  2. For a cluster that was installed by using Helm, in the values-public.yaml file, set the admissionControl.enforce value to false and run the following command: 

    helm upgrade -n stackrox \
  stackrox-secured-cluster-services rhacs/secured-cluster-services \
  --reuse-values \
  -f /config/yaml/values-public.yaml \
  -f /config/yaml/values-private.yaml

  3. For clusters that are not managed by the Operator or Helm, you can use the RHACS portal to change this setting:

    1. In the RHACS portal, select Platform Configuration Clusters.
    2. Select an existing cluster from the list.

    3. In the Dynamic configuration section, in the Admission controller enforcement behavior field, select one of the following options:

      • Enforce policies: The admission controller enforces policies that are configured for enforcement by rejecting the workload admission or update attempt.
      • No enforcement: Even if enforcement is configured for a policy, if this option is selected, the admission controller does not enforce the policy and allows workload admission attempts or updates that violate the policy.
    4. Select Next.
    5. Select Finish.

5.4.1. Disabling associated policies
Copy link

You can turn off the enforcement on relevant policies, which in turn instructs the admission controller to skip enforcements.

Procedure

  1. In the RHACS portal, go to Platform Configuration Policy Management.

  2. Disable enforcement on the default policies:

    • In the policies view, locate the Kubernetes Actions: Exec into Pod policy. Click the overflow menu, kebab , and then select Disable policy.
    • In the policies view, locate the Kubernetes Actions: Port Forward to Pod policy. Click the overflow menu, kebab , and then select Disable policy.
  3. Disable enforcement on any other custom policies that you have created by using criteria from the default Kubernetes Actions: Port Forward to Pod and Kubernetes Actions: Exec into Pod policies.

5.4.2. Disabling the webhook
Copy link

You can disable admission controller enforcement from the Clusters view in the RHACS portal.

Important

If you disable the admission controller by turning off the webhook, you must redeploy the Sensor bundle.

Procedure

  1. In the RHACS portal, go to Platform Configuration Clusters.
  2. Select an existing cluster from the list.
  3. Turn off the Enable Admission Controller Webhook to listen on exec and port-forward events toggle in the Static Configuration section.
  4. Select Next to continue with Sensor setup.
  5. Click Download YAML file and keys.

  6. From a system that has access to the monitored cluster, extract and run the sensor script: 

    $ unzip -d sensor sensor-<cluster_name>.zip
     
    $ ./sensor/sensor.sh
    Note

    If you get a warning that you do not have the required permissions to deploy the sensor, follow the on-screen instructions, or contact your cluster administrator for help.

    After the sensor is deployed, it contacts Central and provides cluster information.

  7. Return to the RHACS portal and check if the deployment is successful. If it is successful, a green checkmark appears under section #2. If you do not see a green checkmark, use the following command to check for problems:

    • On OpenShift Container Platform: 

      $ oc get pod -n stackrox -w

    • On Kubernetes: 

      $ kubectl get pod -n stackrox -w
  8. Select Finish.
Note

When you disable the admission controller, RHACS does not delete the ValidatingWebhookConfiguration parameter. However, instead of checking requests for violations, it accepts all AdmissionReview requests.

To remove the ValidatingWebhookConfiguration object, run the following command in the secured cluster:

  • On OpenShift Container Platform: 

    $ oc delete ValidatingWebhookConfiguration/stackrox

  • On Kubernetes: 

    $ kubectl delete ValidatingWebhookConfiguration/stackrox

With Red Hat Advanced Cluster Security for Kubernetes you can enforce security policies on:

  • Object creation
  • Object update
  • Pod execution
  • Pod port forward

5.5.1. If Central or Sensor is unavailable
Copy link

The admission controller requires an initial configuration from Sensor to work. Kubernetes or OpenShift Container Platform saves this configuration, and it remains accessible even if all admission control service replicas are rescheduled onto other nodes. If this initial configuration exists, the admission controller enforces all configured deploy-time policies.

If Sensor or Central becomes unavailable later:

  • you will not be able to run image scans, or query information about cached image scans. However, admission controller enforcement still functions based on the available information gathered before the timeout expires, even if the gathered information is incomplete.
  • you will not be able to disable the admission controller from the RHACS portal or modify enforcement for an existing policy as the changes will not get propagated to the admission control service.
Note

If you need to disable admission control enforcement, you can delete the validating webhook configuration by running the following command:

  • On OpenShift Container Platform: 

    $ oc delete ValidatingWebhookConfiguration/stackrox

  • On Kubernetes: 

    $ kubectl delete ValidatingWebhookConfiguration/stackrox

5.5.2. Make the admission controller more reliable
Copy link

Red Hat recommends that you schedule the admission control service on the control plane and not on worker nodes. The deployment YAML file includes a soft preference for running on the control plane, however it is not enforced.

By default, the admission control service runs 3 replicas. To increase reliability, you can increase the replicas by running the following command: 

$ oc -n stackrox scale deploy/admission-control --replicas=<number_of_replicas>
1
1
If you use Kubernetes, enter kubectl instead of oc.

5.5.3. Using with the roxctl CLI
Copy link

You can use the following options when you generate a Sensor deployment YAML file:

  • --admission-controller-listen-on-updates: If you use this option, Red Hat Advanced Cluster Security for Kubernetes generates a Sensor bundle with a ValidatingWebhookConfiguration pre-configured to receive update events from the Kubernetes or OpenShift Container Platform API server.
  • --admission-controller-enforce-on-updates: If you use this option, Red Hat Advanced Cluster Security for Kubernetes configures Central such that the admission controller also enforces security policies object updates.

Both these options are optional, and are false by default.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top