In this blog we are going to talk about admission controllers, how they interact with Kubernetes and what they can do for us. Well, I want to start by just sort of diagramming out what a request looks like when it comes into Kubernetes.

  • There are basically three parts.

First obviously the person or potential automation that is making the API call that goes to the API server and eventually to the database. That’s the basic flow of all API requests.

Now inside the API server itself, there is code that does RBAC for authorization and also does authentication. So, that allows you to say, hey, this user can or can’t do certain things within the cluster. But there’s a lot of stuff that you might want to do that involves either modifying or validating an API object that looks within the API object itself in order to make decisions or even make modifications.

And that’s where admission controllers come in.

What is admission controller:

An admission controller is a very powerful feature that intercepts the requests to API server after it has be authenticated and authorized. It then validates and modifies the request before persisting it to etcd.

There are two basic classes of admission controllers.

  1. Validating admission controllers: It looks at the contents of an API object and make sure that it’s a valid API object. We’ll talk a little bit about some use cases for that
  2. Mutating admission controllers: It looks at the API object and actually changes it. It may add or remove things from the API object and modifies it in the way in.


Kubernetes Admission Controller
1.80 GEEK