0
0
KubernetesConceptBeginner · 3 min read

Validating Webhook in Kubernetes: What It Is and How It Works

A validating webhook in Kubernetes is a way to check and approve or reject changes to cluster resources before they are saved. It acts like a gatekeeper that validates requests to create, update, or delete objects, ensuring they meet custom rules.
⚙️

How It Works

Imagine you have a security guard at the entrance of a building who checks every visitor's ID before letting them in. A validating webhook works similarly in Kubernetes. When you try to create or change a resource like a pod or deployment, Kubernetes sends the request to the webhook first.

The webhook is a small program or service you write that looks at the request details. It decides if the request follows your rules. If it does, the webhook says "OK" and Kubernetes allows the change. If not, it rejects the request with a clear message.

This process happens quickly and automatically, so only valid and safe changes happen in your cluster. It helps keep your environment consistent and secure without manual checks.

💻

Example

This example shows a simple validating webhook configuration that checks pods before they are created or updated.

yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: example-validating-webhook
webhooks:
- name: pod-validator.example.com
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    operations: ["CREATE", "UPDATE"]
    resources: ["pods"]
  clientConfig:
    service:
      name: pod-validator-service
      namespace: default
      path: "/validate-pods"
    caBundle: <base64-encoded-CA-cert>
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
Output
ValidatingWebhookConfiguration resource created in Kubernetes cluster
🎯

When to Use

Use validating webhooks when you want to enforce custom rules on Kubernetes resources that are not covered by built-in validations. For example:

  • Ensure pods have specific labels or annotations for tracking.
  • Prevent deployment of containers with disallowed images.
  • Enforce resource limits or security policies before changes are accepted.

This helps teams maintain standards, improve security, and avoid mistakes that could cause downtime or vulnerabilities.

Key Points

  • Validating webhooks intercept resource requests to approve or reject them.
  • They run synchronously during create or update operations.
  • You write the webhook logic as a service that Kubernetes calls.
  • They help enforce custom policies and improve cluster safety.
  • They require a ValidatingWebhookConfiguration resource to register with Kubernetes.

Key Takeaways

A validating webhook checks Kubernetes resource changes before they are saved.
It helps enforce custom rules and policies automatically.
You must deploy a webhook service and register it with Kubernetes.
It runs during create and update operations to accept or reject requests.
Validating webhooks improve cluster security and consistency.

Related by keyword

How Networking Works in Kubernetes: Basics and ExamplesNetworkingHow Service Discovery Works in Kubernetes: Explained SimplyNetworkingHow Scheduling Works in Kubernetes: Explained SimplySchedulingInit Container in Kubernetes: What It Is and How It WorksPodsPod Lifecycle in Kubernetes: What It Is and How It WorksPods

Up next

What is GKE in Google Cloud for Kubernetes ExplainedManaged vs Self-Managed Kubernetes: Key Differences and When to Use EachKubernetes vs Docker: Key Differences and When to Use EachKubernetes vs Docker Compose: Key Differences and When to Use Each

More in Advanced

How to Create a Custom Resource Definition (CRD) in KubernetesHow to Create a Kubernetes Operator: Step-by-Step GuideHow to Use Kustomize in Kubernetes: Simple GuideIstio vs Linkerd in Kubernetes: Key Differences and When to Use Each