Admission Controller
Generated by GPT-5-miniExpansion Funnel Raw 76 → Dedup 0 → NER 0 → Enqueued 0
| Admission Controller | |
|---|---|
| Name | Admission Controller |
| Invented | 2014 |
| Owner | Kubernetes |
| Type | Software Component |
Admission Controller
An Admission Controller is a software component that intercepts requests to an API server to enforce policies, mutate objects, validate state, and perform admission-time decisions for resources managed by systems such as Kubernetes, OpenShift, Istio, HashiCorp Consul and cloud provider platforms like Amazon Web Services and Google Cloud Platform. It operates between authentication and persistence, enabling operators at organizations such as Red Hat, CNCF, VMware, Microsoft Azure and IBM to implement governance, security, and operational automation for clusters running workloads from projects like Helm, Prometheus, Kustomize, and Flux.
Overview
Admission controllers mediate create, update, and delete operations for API resources originated by actors including kubectl, Terraform, Ansible, Argo CD, CI/CD systems such as Jenkins and GitLab, and controllers like kube-scheduler and kube-controller-manager. They complement components including RBAC systems like those used by Open Policy Agent and identity providers such as Dex and Keycloak. Historically introduced with early Kubernetes design discussions influenced by projects like Docker and CoreOS, admission control now plays a central role in enforcing policies stemming from standards and frameworks by organizations like CNCF and NIST.
Architecture and Components
Admission controllers typically run as webhooks, embedded modules, or library hooks. Common architectural pieces include the API server admission pipeline, webhook servers, policy engines, and mutating/validating stages used by projects like OPA and Gatekeeper. The pipeline interfaces with components such as etcd, kube-apiserver, and sidecar proxies like Envoy when policy decisions affect networking. Implementations often employ TLS certificates issued by CAs like Let's Encrypt or internal PKI systems integrated with Cert-Manager and identity solutions such as Vault by HashiCorp.
Operation and Admission Policies
At runtime, admission controllers examine API requests and associated objects (for example, Pod manifests, Deployment specifications, and ServiceAccount records) to enforce policies. Policies can be written in policy languages and engines like Rego (used by Open Policy Agent), or declarative CRDs used by controllers in Gatekeeper and Kyverno. Typical operations include mutation (injecting sidecars like Istio proxies), validation (rejecting insecure container images from registries like Docker Hub or Quay.io), defaulting (adding resource limits), and auditing for compliance frameworks such as SOC 2 and PCI DSS. Admission policies often reference image provenance from registries like Harbor and secret backends like AWS Secrets Manager and Azure Key Vault.
Built-in and Custom Controllers
Systems ship with built-in admission controllers developed by teams at Google and contributors from organizations including Red Hat and VMware. Built-ins handle tasks like namespace lifecycle, resource quota, and finalizers. Custom controllers are implemented by vendors and open-source projects such as Open Policy Agent, Gatekeeper, Kyverno, Istio, and cloud-native providers from Amazon EKS, Google GKE, and Azure AKS. Enterprises build bespoke controllers that integrate with identity platforms like Okta and Active Directory as well as CI systems like CircleCI and Bamboo.
Use Cases and Examples
Admission controllers are used to enforce image signing workflows with tools from Notary and Sigstore (including cosign), inject observability agents from Prometheus exporters, and ensure network policies compatible with Calico or Cilium. Examples include denying privileged containers for compliance with guidelines from CIS, mutating Pods to add sidecars for service mesh telemetry by Istio or Linkerd, and blocking deployments that reference deprecated APIs like those removed by Kubernetes API deprecations driven by SIGs such as SIG API Machinery. Admission controllers also enable multi-tenant enforcement in platforms such as OpenShift and enable policy-as-code practices paired with repositories managed in GitHub and GitLab.
Security and Performance Considerations
Security considerations include ensuring webhook servers are authenticated and authorized using certificates and RBAC bindings, protecting secrets via backends like Vault, and avoiding supply-chain risks by integrating with signing projects from Sigstore. Performance considerations include limiting synchronous admission latency by designing fast policy checks, running policy caches, and applying failure policies to avoid blocking API traffic—practices advised by vendor docs from Google and AWS. Fault isolation and observability integrate with logging and tracing systems like Fluentd, Jaeger, OpenTelemetry, and metric systems such as Prometheus to monitor admission latency and error rates.
Implementation in Kubernetes and Other Systems
In Kubernetes, admission control supports built-in plugins and dynamic admission webhooks defined in resources like MutatingWebhookConfiguration and ValidatingWebhookConfiguration. Projects such as Gatekeeper and Kyverno implement CRD-driven policy admission patterns, while Open Policy Agent integrates via the admission webhook interface using policy bundles from repositories like OPA Registry. Other orchestration or service mesh projects such as Nomad, Linkerd, and Istio implement analogous hooks for admission-time mutation and validation. Cloud providers offer managed admission tooling in Google GKE, Amazon EKS, Azure AKS, and platform distributions like OpenShift which extend the admission model with vendor-specific controllers.