Introduction

Admission Controllers are a crucial component of Kubernetes' control plane that govern and enforce policies on API requests before they persist in the cluster. They act as intermediaries, evaluating incoming requests to create, update, delete, or connect resources within a Kubernetes cluster.

Role of Admission Controllers in Kubernetes

Kubernetes Admission Controllers operate at the API server level, ensuring that all resource changes comply with defined policies before being persisted in etcd. These controllers allow administrators to enforce security, compliance, and operational best practices dynamically.

Key Functions of Admission Controllers:

1. Security Enforcement

   • Enforces role-based access control (RBAC) and security policies.

   • Ensures workload compliance with security standards.

2. Resource Validation

   • Validates configuration files before applying them to the cluster.

   • Prevents misconfigured deployments that could impact stability.

3. Mutation of Requests

   • Modifies requests dynamically to inject sidecars, labels, or default values.

   • Used by tools like Istio and Open Policy Agent (OPA) to manage policies.

4. Quota and Policy Enforcement

   • Ensures resource limits and constraints are followed.

   • Prevents over-provisioning and protects cluster stability.

How Admission Controllers Work

Admission controllers operate in two primary phases:

1. Mutating Admission Controllers

• Modify requests dynamically before they reach the validation stage.

• Example: Injecting an Envoy sidecar in Istio using the MutatingWebhookConfiguration.

2. Validating Admission Controllers

• Evaluate API requests against policies and reject non-compliant ones.

• Example: Ensuring that container images come from a trusted registry.

Dynamic Admission Controllers

Kubernetes supports Dynamic Admission Controllers, which allow administrators to define custom admission policies using webhooks. These controllers extend the admission process beyond built-in mechanisms by integrating with external services.

1. Mutating Admission Webhook Controllers

• Modify API requests before they are persisted in etcd.

• Common use cases:

  • Injecting sidecars (e.g., Envoy in Istio)

  • Adding labels, environment variables, or annotations automatically

  • Enforcing default configurations for security and compliance

• Implemented using MutatingWebhookConfiguration.

2. Validating Admission Webhook Controllers

• Validate configurations before they are applied to the cluster.

• Common use cases:

  • Ensuring security policies (e.g., only allowing trusted images)

  • Enforcing Kubernetes best practices and governance policies

  • Preventing accidental misconfigurations

• Implemented using ValidatingWebhookConfiguration.

Understanding MutatingWebhookConfiguration

A MutatingWebhookConfiguration is a Kubernetes API resource used to register a mutating admission webhook. It defines the webhook URL, scope, and operations it should modify.

Example YAML for MutatingWebhookConfiguration:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: example-mutating-webhook
webhooks:
  - name: inject-sidecar.example.com
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
        operations: ["CREATE"]
    clientConfig:
      service:
        name: webhook-service
        namespace: default
        path: "/mutate"

This webhook triggers when a new Pod is created, allowing modifications before the Pod is persisted.

Conclusion

Admission Controllers play a vital role in Kubernetes security, compliance, and operational efficiency. By enforcing policies at the API level, they help administrators maintain a stable, secure, and well-regulated cluster environment.

Dynamic admission controllers—Mutating and Validating Webhook Controllers—extend Kubernetes' capabilities by modifying and validating requests in real-time. The MutatingWebhookConfiguration allows Kubernetes to automatically inject or modify configurations, ensuring consistency and compliance across the cluster.