Lesson goal: Understand how the Kubernetes API server routes admission requests to Kyverno webhooks, what webhook configuration controls, and how mutation and validation are ordered during admission.
- Authentication — verifies the identity of the caller.
- Authorization — checks whether the caller is allowed to perform the requested action.
- Admission — a pluggable phase where requests can be mutated or validated before persistence.

- The API server sends the request payload to Kyverno’s webhook endpoint.
- Kyverno locates policies that match the resource kind, namespace, and operation.
- For mutating policies, Kyverno computes patches and returns them so the API server applies the mutation.
- For validating policies, Kyverno returns an allow or deny decision.
- The API server proceeds using Kyverno’s response (apply mutation, accept, or reject).

- WHAT to intercept (which resources, operations, API groups/versions).
- WHERE to send the request (the service/endpoint hosting the webhook).
- WHAT IF the webhook does not respond (failure behavior and timeouts).

failurePolicy: Fail— if Kyverno is unavailable, the API server rejects the request (more secure).failurePolicy: Ignore— if Kyverno doesn’t respond, the API server continues without enforcement (more available).
Set
failurePolicy: Fail only when Kyverno is deployed with sufficient high availability. Using Fail in single-replica or unstable Kyverno setups can block legitimate requests during outages.- Mutating policy: add a label to every new Deployment.
- Validating policy: reject Deployments with more than 2 replicas.

ValidatingWebhookConfiguration demonstrating the WHAT / WHERE / WHAT IF mapping. Note how rules selects requests, clientConfig points to the Kyverno service endpoint, and failurePolicy/timeoutSeconds control error handling.

- Kubernetes Admission Controllers and Webhooks: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
- Kyverno documentation: https://kyverno.io/docs/
- Kyverno integrates with the API server via Mutating and Validating webhooks during the admission phase.
- Webhook configuration controls WHAT is intercepted, WHERE the API server sends requests, and WHAT IF the webhook fails.
- Mutations run before validations, so validation policies evaluate the final mutated object.
- Kyverno automatically manages webhook registration based on the policies you create.