0
0
KubernetesConceptBeginner · 3 min read

Admission Controller in Kubernetes: What It Is and How It Works

An admission controller in Kubernetes is a piece of code that intercepts requests to the Kubernetes API server after authentication and authorization but before the object is stored. It can modify or validate these requests to enforce policies or add defaults automatically.
⚙️

How It Works

Think of an admission controller as a security guard at the entrance of a building. After someone shows their ID (authentication) and gets permission to enter (authorization), the guard checks if they follow the building's rules before letting them in. In Kubernetes, when you create or change resources like pods or services, the admission controller reviews these requests to ensure they meet cluster policies.

Admission controllers can either validate requests, rejecting those that don't follow rules, or mutate requests by adding or changing information automatically. This happens inside the Kubernetes API server, so it is transparent to users and helps keep the cluster safe and consistent.

💻

Example

This example shows how to enable the NamespaceLifecycle admission controller, which prevents deletion of namespaces that still have resources.

yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: NamespaceLifecycle
  configuration:
    apiVersion: apiserver.config.k8s.io/v1
    kind: NamespaceLifecycleConfiguration
    preventDelete: true
Output
Admission controller enabled: NamespaceLifecycle will block deletion of namespaces with active resources.
🎯

When to Use

Use admission controllers when you want to enforce rules or add defaults automatically in your Kubernetes cluster. For example, you can use them to:

  • Ensure all pods have resource limits set to avoid overusing cluster resources.
  • Automatically add labels or annotations to objects for tracking.
  • Block creation of pods that use deprecated APIs or unsafe configurations.
  • Enforce security policies like requiring certain security contexts.

They help maintain cluster stability, security, and compliance without manual checks.

Key Points

  • Admission controllers run after authentication and authorization but before storing objects.
  • They can validate or mutate requests to enforce policies.
  • Many built-in admission controllers exist, and you can add custom ones.
  • They help automate cluster governance and security.

Key Takeaways

Admission controllers intercept Kubernetes API requests to enforce policies before saving objects.
They can modify requests or reject them to keep the cluster safe and consistent.
Use them to automate security, resource management, and compliance rules.
Built-in and custom admission controllers provide flexible control over cluster behavior.

Related by keyword

What is Controller Manager in Kubernetes: Explained SimplyGetting StartedHow Networking Works in Kubernetes: Basics and ExamplesNetworkingHow Service Discovery Works in Kubernetes: Explained SimplyNetworkingHow Scheduling Works in Kubernetes: Explained SimplySchedulingInit Container in Kubernetes: What It Is and How It WorksPods

Up next

What is GKE in Google Cloud for Kubernetes ExplainedManaged vs Self-Managed Kubernetes: Key Differences and When to Use EachKubernetes vs Docker: Key Differences and When to Use EachKubernetes vs Docker Compose: Key Differences and When to Use Each

More in Advanced

How to Create a Custom Resource Definition (CRD) in KubernetesHow to Create a Kubernetes Operator: Step-by-Step GuideHow to Use Kustomize in Kubernetes: Simple GuideIstio vs Linkerd in Kubernetes: Key Differences and When to Use Each