Saurabh Adhau's Blog

What are Admission Controllers?

Saurabh Adhau's photo
Saurabh Adhau
·

2 min read

Table of contents

Introduction

Admission Controllers are a crucial component of Kubernetes' control plane that govern and enforce policies on API requests before they persist in the cluster. They act as intermediaries, evaluating incoming requests to create, update, delete, or connect resources within a Kubernetes cluster.

Role of Admission Controllers in Kubernetes

Kubernetes Admission Controllers operate at the API server level, ensuring that all resource changes comply with defined policies before being persisted in etcd. These controllers allow administrators to enforce security, compliance, and operational best practices dynamically.

Key Functions of Admission Controllers:

  1. Security Enforcement

    • Enforces role-based access control (RBAC) and security policies.

    • Ensures workload compliance with security standards.

  2. Resource Validation

    • Validates configuration files before applying them to the cluster.

    • Prevents misconfigured deployments that could impact stability.

  3. Mutation of Requests

    • Modifies requests dynamically to inject sidecars, labels, or default values.

    • Used by tools like Istio and Open Policy Agent (OPA) to manage policies.

  4. Quota and Policy Enforcement

    • Ensures resource limits and constraints are followed.

    • Prevents over-provisioning and protects cluster stability.

How Admission Controllers Work

Admission controllers operate in two primary phases:

1. Mutating Admission Controllers

  • Modify requests dynamically before they reach the validation stage.

  • Example: Injecting an Envoy sidecar in Istio using the MutatingWebhookConfiguration.

2. Validating Admission Controllers

  • Evaluate API requests against policies and reject non-compliant ones.

  • Example: Ensuring that container images come from a trusted registry.

Examples of Built-in Admission Controllers

Kubernetes provides several built-in admission controllers, such as:

  • NamespaceLifecycle: Prevents modification of system namespaces.

  • PodSecurity: Enforces Pod Security Standards (PSS).

  • ResourceQuota: Ensures resource usage stays within limits.

  • ValidatingAdmissionWebhook: Integrates external validation mechanisms.

Conclusion

Admission Controllers play a vital role in Kubernetes security, compliance, and operational efficiency. By enforcing policies at the API level, they help administrators maintain a stable, secure, and well-regulated cluster environment. Understanding and leveraging admission controllers allows teams to enforce best practices, automate governance, and secure Kubernetes workloads effectively.

admission controllerKubernetesk8sDevopsAWS