This is unreleased documentation for Admission Controller 1.30-next.

Emergency disable

In an emergency, operations teams might need to perform actions that SUSE Security Admission Controller would block.

This document explains how to disable Admission Controller so operations teams can address cluster failures. After resolving the situation, operations teams can restart Admission Controller.

Disable Admission Controller

First, stop the Admission Controller controller. You do this by scaling its Deployment to zero:

kubectl scale deployment kubewarden-controller \
  --replicas=0 \
  -n kubewarden

Ensure you use the name of the Namespace where the Admission Controller stack is deployed. Here, the stack is deployed in the kubewarden Namespace.

Next, delete all the ValidatingWebhookConfigurations and MutatingWebhookConfigurations created by Admission Controller:

# Delete all the ValidatingWebhookConfiguration created by {short-project-name}
kubectl delete validatingwebhookconfigurations \
  -l app.kubernetes.io/part-of=kubewarden

# Delete all the MutatingWebhookConfiguration created by {short-project-name}
kubectl delete mutatingwebhookconfigurations \
  -l app.kubernetes.io/part-of=kubewarden

Restore Admission Controller

When the emergency is over, restore the Admission Controller stack by bringing back the Admission Controller controller:

kubectl scale deployment kubewarden-controller \
  --replicas=1 \
  -n kubewarden

  • Ensure you use the name of the Namespace where the Admission Controller stack is deployed. Here, the stack is deployed in the kubewarden Namespace.

  • Ensure you scale the controller back to its original value. This example assumes there’s only one replica of the controller running.

Once the controller is running, it reconciles the deployed policies. The ValidatingWebhookConfiguration and MutatingWebhookConfiguration resources, previously deleted, are recreated, thus enforcing the policies.