Kubernetes Admission Controller
What is Kubernetes Admission Controller?
Kubernetes Admission ControllerAn admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
Kubernetes admission runs in two phases: mutating controllers can alter the object (set defaults, inject sidecars) and validating controllers can accept or reject it. Built-in controllers include NamespaceLifecycle, ResourceQuota, ServiceAccount, Pod Security, and ImagePolicyWebhook. External controllers register as MutatingWebhookConfiguration or ValidatingWebhookConfiguration, receive AdmissionReview JSON, and return a verdict; ValidatingAdmissionPolicy (1.28+) embeds CEL rules directly in the API. Admission is the primary enforcement point for security policy in Kubernetes (Pod Security Standards, image-signing requirements, label hygiene), and it is where OPA Gatekeeper and Kyverno hook in. Webhook failures can break the cluster, so failurePolicy and timeouts must be tuned carefully.
● Examples
- 01
A mutating webhook injecting an Istio sidecar into every new pod in a labelled namespace.
- 02
A ValidatingAdmissionPolicy that rejects Deployments without a runAsNonRoot setting.
● Frequently asked questions
What is Kubernetes Admission Controller?
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy. It belongs to the Cloud Security category of cybersecurity.
What does Kubernetes Admission Controller mean?
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
How does Kubernetes Admission Controller work?
Kubernetes admission runs in two phases: mutating controllers can alter the object (set defaults, inject sidecars) and validating controllers can accept or reject it. Built-in controllers include NamespaceLifecycle, ResourceQuota, ServiceAccount, Pod Security, and ImagePolicyWebhook. External controllers register as MutatingWebhookConfiguration or ValidatingWebhookConfiguration, receive AdmissionReview JSON, and return a verdict; ValidatingAdmissionPolicy (1.28+) embeds CEL rules directly in the API. Admission is the primary enforcement point for security policy in Kubernetes (Pod Security Standards, image-signing requirements, label hygiene), and it is where OPA Gatekeeper and Kyverno hook in. Webhook failures can break the cluster, so failurePolicy and timeouts must be tuned carefully.
How do you defend against Kubernetes Admission Controller?
Defences for Kubernetes Admission Controller typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kubernetes Admission Controller?
Common alternative names include: Admission webhook, ValidatingAdmissionPolicy.
● Related terms
- cloud-security№ 757
OPA Gatekeeper
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- cloud-security№ 602
Kyverno
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
- cloud-security№ 838
Pod Security Standards
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
- cloud-security№ 599
Kubernetes Network Policy
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
- cloud-security№ 582
Kata Containers
Kata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- cloud-security№ 455
gVisor
gVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.