DenyEscalatingExec when under GKE

Question

We\'re using GKE with our Kubernetes cluster. One of the apps we\'re running is Jenkins for CI. Unfortunately, Jenkins slaves need to use Docker to mount their host\'s

Answer 1

Unfortunately you can't change the enabled admission controllers on GKE. Alpha clusters support external admission webhooks but that would involve an amount of custom work.

An alternative option would be to use PodSecurityPolicy to only allow privileged Pods to run in a few tightly controller namespaces. For example, you could create a jenkins namespace and only allow privileged Pods to be created in the jenkins and kube-system namespaces and then prevent all users but cluster admins from execing into Pods in those namespaces.