✦ For everyone, free.

Practical knowledge for real and everyday life

Home

24 Kubernetes Admission and Policy

Kubernetes Admission and Policy enforces rules to validate and modify resources, ensuring security and compliance in cluster operations.

Kubernetes Admission and Policy is the stage of API request processing that occurs after authentication and authorization have already approved a request, during which additional validation and mutation logic is applied before the change is persisted, allowing cluster-wide rules and conventions to be enforced consistently regardless of who submitted the request.


Where Admission Fits

After Authorization, Before Persistence

By the time a request reaches admission control, Kubernetes has already confirmed the requester's identity and that they are permitted to perform the requested action. Admission control adds a further layer of scrutiny focused not on who is making the request, but on whether the request itself conforms to cluster policy.

Two Categories of Plugins

Admission plugins fall into two categories: mutating plugins, which can modify a request before it is persisted, and validating plugins, which can only accept or reject a request without altering it. Mutating plugins always run before validating plugins, ensuring that validation checks see the final, fully mutated version of an object.


Built-In Admission Controllers

Common Examples

Kubernetes ships with a number of built-in admission controllers, such as ones that enforce resource limits from a namespace's LimitRange, others that automatically inject a default service account into Pods that do not specify one, and others that reject requests referencing namespaces that do not exist.

Enabling and Ordering

Which admission controllers are active is configured at the API server level, and because plugins run in a defined order, the behavior of one plugin can depend on mutations already applied by an earlier one in the chain.

finalObject = validate ( mutate ( request ) )

Dynamic Admission Webhooks

Extending Admission Without Rebuilding the API Server

MutatingAdmissionWebhook and ValidatingAdmissionWebhook allow cluster operators to register external services that the API server calls out to during admission, enabling custom policy logic without modifying or rebuilding the API server itself.

Common Use Cases

Webhooks are commonly used to enforce organizational conventions, such as requiring specific labels on all Pods, automatically injecting sidecar containers such as service mesh proxies, or blocking Pods that request privileged access without explicit justification.


Policy-as-Code Frameworks

Declarative Policy Definition

Rather than writing custom webhook services from scratch, many clusters adopt policy engines that allow rules to be expressed declaratively, evaluated automatically against incoming requests through the same webhook mechanism, and managed as version-controlled policy definitions alongside other cluster configuration.

Enforcement vs. Audit Modes

Policy engines typically support both an enforcement mode, which rejects non-compliant requests outright, and an audit mode, which logs violations without blocking them, allowing new policies to be evaluated safely before being made mandatory.


Why Admission and Policy Matter

Consistency at Scale

As the number of teams and applications sharing a cluster grows, relying on manual review to catch policy violations does not scale. Admission control and automated policy enforcement provide a consistent, automatic checkpoint that applies the same rules to every request, regardless of who submits it or through which tool.


Admission Pipeline Diagram

Authorized Mutating hooks Validating hooks