Admission controllers are a critical component of the Kubernetes architecture that manage requests to the Kubernetes API server. They act as gatekeepers, intercepting requests to create, update, or delete resources within a Kubernetes cluster.

In other word, An admission controller in Kubernetes is a special type of plugin that intercepts requests to the Kubernetes API before they are persisted in the cluster (i.e., before being saved in etcd). These controllers help enforce policies, validate configurations, and even modify resources automatically.

What Are Admission Controllers?

  1. Purpose: Admission controllers validate and manipulate requests before they are persisted in the cluster. They ensure that the requests comply with the defined policies and rules.
  2. Types: There are two main types of admission controllers:
    • Validating Admission Controllers: These controllers validate the incoming requests against specific criteria. If a request fails validation, it is rejected.
    • Mutating Admission Controllers: These controllers can modify the incoming requests before they are processed. For example, they can add default values or modify configurations.

How Do Admission Controllers Work?

  1. Request Interception: When a user or application sends a request to the Kubernetes API server, it first passes through the admission control phase.
  2. Execution Order: Admission controllers are executed in a specific order, and their results determine whether the request is allowed to proceed or is rejected.
  3. Webhook Integration: Admission controllers can be implemented as webhooks, allowing custom logic to be applied to requests. This enables organizations to enforce specific policies tailored to their needs.

Common Use Cases

  • Resource Quotas: Ensuring that resource requests and limits are set appropriately for pods.
  • Security Policies: Enforcing security standards, such as preventing the use of privileged containers.
  • Labeling and Annotation: Automatically adding labels or annotations to resources for better management and organization.

Importance of Admission Controllers

  • Policy Enforcement: They ensure that all resources created within the cluster adhere to organizational policies and best practices.
  • Resource Management: Admission controllers help manage resources effectively by validating requests and preventing resource contention.
  • Security: They enhance the security posture of the cluster by enforcing rules that prevent misconfigurations and vulnerabilities.

Conclusion

Admission controllers are essential for maintaining the integrity, security, and compliance of Kubernetes clusters. By validating and mutating requests, they play a vital role in ensuring that Kubernetes operates smoothly and adheres to organizational policies.

🧩 How Admission Controllers Work

When you create or update a resource (like a pod, deployment, or service), the request goes through several stages:

  1. Authentication – Verifies who you are.
  2. Authorization – Checks if you have permission.
  3. Admission Control – Validates or modifies the request.
  4. Persistence – Saves the resource in etcd.

Admission controllers operate in step 3, and they can either:

  • Validate the request (e.g., reject pods without resource limits).
  • Mutate the request (e.g., add default labels or inject sidecars).

🛠️ Types of Admission Controllers

There are two main types:

  1. Validating Admission Controllers
    • Check if the resource meets certain rules.
    • Can accept or reject the request.
    • Example: Prevent pods from using privileged containers.
  2. Mutating Admission Controllers
    • Can modify the resource before it’s saved.
    • Example: Automatically inject a sidecar container (like Istio’s Envoy proxy).

🔐 Use Cases

  • Enforcing security policies
  • Injecting monitoring or logging agents
  • Setting default values
  • Validating naming conventions
  • Enabling service mesh features (e.g., Istio uses admission controllers to inject sidecars)