Validating and Mutating Admission Controllers 2025 Updates
This article provides an overview of Admission Controllers in Kubernetes, focusing on validating and mutating functions and how to configure custom controllers.
In this lesson, we take an in-depth look at Admission Controllers in Kubernetes—covering both validating and mutating functions—and learn how to configure custom Admission Controllers. Understanding these controllers is essential for ensuring that Kubernetes objects are created and modified correctly.
Admission Controllers perform crucial tasks during the API request lifecycle:
Mutating Admission Controllers: Modify the object (mutate the request) before it is created.
Validating Admission Controllers: Inspect a request to decide whether it should be allowed or rejected.
Dual-Purpose Controllers: Some controllers support both mutating and validating functions.
Typically, mutating controllers are invoked before validating controllers. This order ensures that any changes made during mutation are considered during validation. For example, if the namespace auto-provisioning admission controller (mutating) runs before the namespace existence admission controller (validating), the missing namespace is created, preventing potential validation failures.
If any admission controller rejects the request, an error message is returned and the request is not processed further.
The default storage class admission controller is enabled by default. When you create a PersistentVolumeClaim (PVC) without specifying a storage class, the request is authenticated, authorized, and then passed through the admission controller. This controller mutates the request by adding the default storage class if none is provided.For example, consider the following PVC creation request:
While built-in admission controllers are compiled with Kubernetes, you can implement custom logic using external admission webhooks. Two specific controllers support webhooks:
To start using webhooks, deploy your custom webhook server. This server handles your custom logic for mutating and/or validating requests. You can implement the server in any language that supports processing JSON admission review objects.
Below is a sample snippet in Go that demonstrates setting up a webhook server:
Copy
Ask AI
package mainimport ( "encoding/json" "flag" "fmt" "io/ioutil" "net/http" admissionv1beta1 "k8s.io/api/admission/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog")// toAdmissionResponse creates an AdmissionResponse containing an error message.func toAdmissionResponse(err error) *admissionv1beta1.AdmissionResponse { return &admissionv1beta1.AdmissionResponse{ Result: &metav1.Status{ Message: err.Error(), }, }}// admitFunc defines the function type for validators and mutators.type admitFunc func(*admissionv1beta1.AdmissionReview) *admissionv1beta1.AdmissionResponse// serve handles the HTTP requests and passes them to the admit function.func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) { var body []byte if r.Body != nil { data, err := ioutil.ReadAll(r.Body) if err == nil { body = data } } // Further processing of the admission review object would occur here.}
The critical aspect of setting up webhooks is ensuring that your server processes the admission review objects and responds with a valid JSON object following the mutate and validate APIs.
Once your webhook server is deployed, configure Kubernetes to route requests to your service by creating a webhook configuration object. For instance, the following example shows a [ValidatingWebhookConfiguration] that validates pod creation:
Admission controllers are a powerful mechanism for enforcing policies and modifying Kubernetes objects during their lifecycle. By integrating custom admission webhooks, you can extend Kubernetes functionality to meet your specific needs.For further practice, consider configuring and testing these webhooks in your environment to better understand their impact on Kubernetes operations.
