Cloud Expert
Kubernetes Admission Webhooks¶
KubernetesWebhooksSecurityPolicy 5 min read
Validating and Mutating admission webhooks. Policy enforcement, auto-injection, and security in K8s clusters.
Webhook Types¶
Admission webhooks intercept API requests before they’re persisted to etcd:
- Mutating — modifies the object (sidecar injection, adding labels)
- Validating — validates and potentially rejects (policy enforcement)
Order: Mutating → Validating → Persist to etcd
Validating Webhook¶
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: deny-latest-tag
webhooks:
- name: deny-latest.example.com
rules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
clientConfig:
service:
name: webhook-server
namespace: system
path: /validate
caBundle: LS0tLS1...
admissionReviewVersions: ["v1"]
sideEffects: None
failurePolicy: Fail
Mutating Webhook¶
Istio and other service meshes use mutating webhooks to automatically inject sidecar proxies into every pod in a labeled namespace.
- JSON Patch operations for adding containers
- Automatic certificate injection
- Adding environment variables and volume mounts
Summary¶
Admission webhooks are a powerful tool for policy enforcement and automation in K8s. Validating webhooks enforce rules, mutating webhooks automatically modify objects.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.