2.14 Validating and Mutating Admission Controllers
Admission Controllers are policy checkpoints inside the Kubernetes API server.
They run after Authentication and Authorization and before an object is finally created.
Their job is simple:
- β Mutating controllers β can CHANGE the request
- π‘οΈ Validating controllers β can ALLOW or REJECT the request
Think of them as a final quality + security gate for every Kubernetes object.
π Where They Sit in the Request Flow
When you run:
The API server processes it in this order:
- Authentication β Who are you?
- Authorization (RBAC) β Are you allowed?
- Mutating Admission Controllers β Modify request if needed
- Validating Admission Controllers β Approve or reject
- etcd β Object stored
Info
Mutation happens first, then validation checks the final modified object.
π§ͺ Two Types β Quick Comparison
- Can modify objects
- Add missing fields
- Inject defaults
- Add labels / sidecars
- Runs first
- Example: DefaultStorageClass
- Cannot modify objects
- Only allow or reject
- Enforce rules
- Block unsafe configs
- Runs after mutation
- Example: NamespaceLifecycle
𧬠Mutating Admission Controllers β Easy Example
A mutating controller can autoβfill missing fields.
Example: DefaultStorageClass
You create a PVC without storageClassName:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
Mutating controller updates it internally to:
Example
You didnβt specify it β Kubernetes adds it automatically using a mutating controller.
π‘οΈ Validating Admission Controllers β Easy Example
Validating controllers do not change anything β they only approve or reject.
Example: NamespaceLifecycle
Result:
Why?
- AuthN β
- AuthZ β
- Validation β (namespace does not exist)
Note
The request is rejected β nothing is modified.
β οΈ Why Mutation Runs Before Validation
Consider two rules:
- Mutating controller β create namespace if missing
- Validating controller β reject if namespace missing
Correct order:
Wrong order would always fail.
Tip
Kubernetes always runs mutating first, validating second.
π External Admission Controllers (Webhooks)
You can create your own custom admission logic using webhooks.
Two webhook types:
- MutatingAdmissionWebhook
- ValidatingAdmissionWebhook
Kubernetes sends the request to your webhook server β your code decides.
ποΈ Webhook Flow (Concept)
API Server
β
Builtβin Admission Controllers
β
Webhook Call β Your Webhook Service
β
Allow / Reject / Patch
Abstract
Your webhook server can run inside the cluster or externally.
π§Ύ Mutating Webhook β YAML Example
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: add-label-webhook
webhooks:
- name: add-label.example.com
clientConfig:
service:
name: webhook-service
namespace: default
path: /mutate
caBundle: <BASE64_CA_CERT>
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
Use cases:
- Add labels automatically
- Inject sidecars
- Add security context
- Set defaults
π§Ύ Validating Webhook β YAML Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validate-image-webhook
webhooks:
- name: validate.example.com
clientConfig:
service:
name: webhook-service
namespace: default
path: /validate
caBundle: <BASE64_CA_CERT>
rules:
- operations: ["CREATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
Use cases:
- Block latest tag
- Block root user containers
- Enforce labels
- Restrict registries
π§ What Your Webhook Server Receives
Webhook receives an AdmissionReview JSON with:
- user info
- operation type
- object spec
- resource type
It must reply:
Allow
Reject
Mutating webhooks can also return a JSON patch.
π§ͺ Mutation Patch Concept
Example patch instruction:
Result:
Pod gets label automatically before creation.
β Key Takeaways
Summary
- Admission Controllers = final policy gate
- Two types: Mutating and Validating
- Mutating = modify requests
- Validating = allow or reject only
- Mutation runs before validation
- Webhooks enable custom logic
- Used for security, defaults, and governance