What are admission controllers?

Short answer

Admission controllers are plugins that intercept requests to the Kubernetes API server after authentication and authorization. They can validate or mutate requests before objects are persisted.

How it works

There are two types: validating and mutating. Mutating webhooks can modify requests, while validating webhooks can only accept or reject them. They are called in a specific order, with mutating webhooks running first.

Example

Enable the NamespaceLifecycle controller:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: NamespaceLifecycle
  path: /etc/kubernetes/admission.yaml

A validating webhook:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: pod-policy
webhooks:
- name: validate-pod.example.com
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    operations: ["CREATE"]
    resources: ["pods"]
  clientConfig:
    service:
      name: webhook
      namespace: default
      path: "/validate"
  admissionReviewVersions: ["v1"]

Why it matters

Admission controllers enforce organizational policies, security standards, and best practices. They are the foundation of tools like OPA Gatekeeper and Kyverno.

Common issues

• Webhook failures can block all API requests if failurePolicy: Fail.
• Latency from external webhooks can slow down API responses.
• TLS certificates for webhooks must be kept up to date.