VPA Admission Controller webhook¶

The VPA Admission Controller webhook is a specific component of the Vertical Pod Autoscaler (VPA) architecture responsible for applying resource configuration changes to Pod objects.^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md]

Functionality¶

The primary function of the Admission Controller is to intercept and modify Pod creation requests to ensure they align with the resource recommendations calculated by the VPA system^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

It operates as a Webhook, which is triggered specifically during the recreation of a Pod following an eviction event^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

Workflow Integration¶

The Admission Controller is the final step in the VPA update loop, interacting with the Updater and Recommender components^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

1. Recommendation: The Recommender calculates optimal resource values (requests/limits) based on historical metrics^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].
2. Eviction: If updateMode: Auto is set, the Updater evicts the existing Pod that requires resource adjustment^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].
3. Webhook Execution: As the Deployment controller attempts to recreate the Pod, the Admission Controller Webhook intercepts the request^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md]. It patches the Pod specification with the new requests and limits before the object is persisted to the cluster^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

Installation and Configuration¶

The Admission Controller is deployed as a part of the autoscaler module, as it is not included in the Kubernetes core APIs^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

TLS Certificates¶

Because it functions as a webhook, the Admission Controller requires valid TLS certificates to communicate securely with the Kubernetes API server^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md]. The installation script (./hack/vpa-up.sh) automates the generation of these certificates and creates a corresponding Secret (e.g., vpa-tls-certs) within the kube-system namespace^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md].

Deployment Components¶

When installed, the following resources are associated with the Admission Controller^[400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md]:

• ServiceAccount: vpa-admission-controller
• ClusterRole: system:vpa-admission-controller
• Deployment: vpa-admission-controller
• Service: vpa-webhook

Sources¶

• 400-devops__06-Kubernetes__k8s-ithelp__Day27__README.md