What are Kubernetes admission controllers?
A Kubernetes admission controller is code that intercepts requests heading to the Kubernetes API server before persistence, but after authentication and authorization.
Admission controllers enforce custom policies on incoming requests to ensure that only valid and compliant API requests execute. This is essential for maintaining a cluster’s integrity and security posture.
We’ll explore how you can improve your overall infrastructure—whether you use AWS, Azure, or another environment—to manage access, strengthen security, and optimize your Kubernetes clusters’ performance.
🚨 Kubernetes Security Report 2025
This 6 page cheat sheet goes beyond the basics and covers security best practices for Kubernetes pods, components, and network security.
Download PDF
Types of admission controllers
These are the main types of Kubernetes admission controllers:
Mutating admission controllers: These admission controllers validate requests against policies or mutate them by modifying configurations. This includes the MutatingAdmissionWebhook, which allows custom logic to change objects through matching mutating webhooks.
Validating admission controllers: When a request reaches the Kubernetes API server, the metadata and request go through authentication and authorization. This includes the ValidatingAdmissionWebhook, which helps you leverage custom validation logic with matching validating webhooks.
Some controllers handle both of these functions so organizations can more easily maintain compliance and security. This process strengthens the proper resource configuration process within the cluster.
How Kubernetes admission controllers work
The admission control process is critical in Kube’s resource management and security enforcement mechanisms. As a sophisticated filter that processes incoming requests to the Kubernetes API server, admission controllers evaluate whether requests comply with the cluster’s policies and configurations.
Admission controllers operate in two modes: validating and mutating. Validating admission controllers inspect the request object and verify its compliance with a cluster's policies, rejecting requests that fail to meet the criteria. On the other hand, mutating admission controllers can modify the request object—such as injecting sidecar containers or setting default values for unspecified fields—before it is validated and persisted in the cluster state. Additionally, some admission controllers are designed as all-in-one solutions, capable of both validating and mutating the request object.
Admission controller configurations
You can configure and use Kubernetes admission controllers in two main ways, each designed to address specific aspects of resource management, security, and administrative efficiency:
Built-in admission controllers: Kubernetes ships with a set of built-in admission controllers that can be turned on or off based on a cluster's requirements. These controllers cover various functionalities, from enforcing pod security policies to managing resource quotas and ensuring that all namespaced resources have the necessary labels.
Dynamic admission controllers: For scenarios where the built-in controllers are not sufficient, Kubernetes offers dynamic admission controllers, which are implemented through admission webhooks. These webhooks provide a mechanism for introducing custom logic into the admission control process, allowing cluster administrators to enforce custom policies tailored to their specific needs and security contexts.
Webhooks and admission controller configurations
A webhook is an HTTP-based callback function that an event triggers via an HTTP POST request. In Kubernetes, webhooks send admission requests to external services at the specified endpoint and allows the backend to process them using customized policies. When a request reaches the API server, the server can then forward it to a webhook server, which applies custom logic to enable real-time decision-making and dynamic policy enforcement.
Webhooks also provide a dynamic way to enforce custom policies and extend admission controller functionality. Integrating webhooks enhances cluster customization and security, which impacts management and security. They also interact with different Kubernetes API groups to enforce policies.
You can configure Kubernetes admission controllers in two ways to address resource management, security, and administrative efficiency:
Built-in admission controllers: Kubernetes includes a set of built-in admission controllers that administrators can enable or disable based on a cluster’s requirements. These controllers enforce pod security policies, manage resource quotas, and ensure that all namespaced resources have the necessary labels.
Dynamic admission controllers: When built-in controllers are insufficient, Kubernetes provides dynamic admission controllers, which rely on admission webhooks. These webhooks introduce custom logic into the admission control process, enabling cluster administrators to enforce policies that are tailored to their specific needs and security contexts.
Integration with the Kubernetes API server
Seamless integration with the Kubernetes API server enhances the effectiveness of admission controllers, which enforce policies and constraints on workloads. Dynamic admission controllers and webhooks can extend this process beyond built-in controllers for greater customization. These controllers directly impact nodes by enforcing resource policies or scheduling constraints to ensure that workloads meet security and operational requirements.
The interaction between admission controllers and the Kubernetes API server highlights Kubernetes’s extensible and modular design. By allowing organizations to customize security and policy enforcement, Kubernetes provides the flexibility that organizations need to adapt to the evolving security landscape and different applications’ diverse needs.
The importance of admission controllers
Admission controllers are more than just a feature within Kubernetes—they also serve as a cornerstone of cluster security and management, as well as manage Kubernetes resources like Pods, Deployments, and ConfigMaps. By automating administrative tasks, enhancing security, and optimizing resource allocation, admission controllers provide numerous benefits:
| Benefit | Description |
|---|---|
| Enhanced Kubernetes security | Strengthening Kubernetes cluster security is one of admission controllers’ primary roles. They act as the first line of defense, scrutinizing incoming requests to ensure compliance with established security policies and standards. This proactive approach significantly reduces the attack surface and helps you maintain a strong security posture. |
| Unauthorized access and configuration prevention | Admission controllers prevent unauthorized access and configurations that could expose the cluster to security vulnerabilities. This level of control is essential for ensuring compliance with regulatory requirements and organizational security policies. |
| Streamlined cluster management | Beyond security, admission controllers simplify Kubernetes cluster management. They also automate administrative tasks like setting default resource requests and limits, applying labels and annotations, and enforcing naming conventions. |
Troubleshooting common issues with Kubernetes admission controllers
If your admission controllers experience misconfigurations, they can cause efficiency problems.
Below are three common issues and how you can address them with security best practices:
1. Webhook connection errors
If the Kubernetes API server can’t communicate with your admission webhook server, you could experience a timeout or a connection refused failure.
These issues usually occur when there’s an incorrect service configuration, a network connectivity issue, or a TLS or SSL error. You can address these problems by:
Verifying that the webhook service definition, like the name or target port, fits with the ValidatingWebHookConfiguration
Testing connectivity with kubect1 exec with curl or wget using a pod in the exact namespace
Checking that your TLC certificates are valid and configured accurately
Confirming that you have the correct API server logs and identifying detailed error messages
Below is an example of verifying a webhook service definition:
echo "Verifying webhook service..."
kubectl get service $WEBHOOK_SERVICE -n $WEBHOOK_NAMESPACE2. Admission controller–induced latency
Sometimes, webhooks can cause delays with runtimes during an API request, which slows down deployments and operations. These latency issues usually happen because of complex logic, resource constraints, and slow networks.
You can address these issues with the following steps:
Conduct profile webhook performance to find bottlenecks and improve execution time.
Introduce caching mechanisms to reduce redundant computations.
Allocate CPU and memory to handle the request load.
Establish timeouts in the webhook configuration to prevent long delays.
Minimize latency between the API and webhook servers.
Below is an example of setting a timeout for a webhook:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
webhooks:
- name: my-webhook.example.com
timeoutSeconds: 53. Admission controller blocking for valid requests
Controllers may reject valid API requests if you have specific configurations, which prevents deployments. This can happen when you have incorrect policy configuration or missing exceptions, like the lack of a namespace.
You can minimize these blocks by addressing the following steps:
Review the admission policy to find errors within the configurations.
Check webhook logs for any rejection reasons.
Add exceptions for the right resources or namespaces.
Leverage the --dry-run flag with kubect1 apply to test policy changes before you deploy the application.
Below is an example of testing policy changes:
kubectl apply --server-dry-run -f your-manifest.yamlLateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover
Read more
4 best practices for using admission controllers
To leverage admission controllers’ full potential, consider adopting these four best practices:
1. Integrate controllers with CI/CD pipelines
Integrating admission controllers into continuous integration/continuous deployment (CI/CD) pipelines ensures that you deploy only compliant and secure applications, which reduces vulnerability risks.
There are two primary ways to effectively implement this integration:
Automate policy checks: Integrate admission controller validations into the CI/CD pipeline to strengthen your security. You can configure pipeline scripts to include these checks for consistency. Tools like kubeconform can also validate Kubernetes YAML files against the cluster’s admission controllers.
Enforce policies: Improve policy enforcement by adding a validating webhook to apply custom policies during the CI/CD process. This webhook intercepts relevant API requests and validates them against predefined policies to ensure compliance before deployment.
The following Jenkins pipeline includes a deployment stage that performs a dry run of the Kubernetes deployment to check against admission policies. If the dry run fails, the pipeline stops, preventing policy violations.
pipeline {
agent any
stages {
stage('Build') {
steps {
// Build steps here
}
}
stage('Test') {
steps {
// Test steps here
}
}
stage('Deploy') {
steps {
script {
def deployStatus = sh(script: "kubectl apply -f k8s-deployment.yaml --dry-run=server", returnStatus: true)
if (deployStatus != 0) {
error("Deployment failed due to admission policy violation.")
}
sh("kubectl apply -f k8s-deployment.yaml")
}
}
}
}
}CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response
Download Cheat Sheet
2. Ensure high availability and performance
Admission controllers’ optimal performance and high availability ensure that they don’t become bottlenecks or points of failure in a Kubernetes environment.
Here’s how to maximize their effectiveness:
Implement redundancy: Deploy multiple instances of webhook servers behind a load balancer to maintain redundancy and high availability.
Monitor performance: Use monitoring tools like Prometheus and Grafana to track admission controllers’ and webhook servers’ performance.
The following configuration sets up a mutating webhook that directs requests to a service that’s capable of load-balancing across multiple webhook server instances. This setup enhances high availability by distributing the load efficiently.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: example-mutating-webhook
webhooks:
- name: example.webhook.com
clientConfig:
service:
name: webhook-service
namespace: webhook-namespace
path: "/mutate"
caBundle: <CA_BUNDLE>
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
sideEffects: None
admissionReviewVersions: ["v1", "v1beta1"]3. Regularly update and audit
Updating your admission controllers and webhook servers protects your system against known vulnerabilities and ensures access to the latest features.
To do this, follow these critical steps:
Update regularly: Schedule routine updates for admission controllers and webhook servers to maintain security and performance. Additionally, you can leverage Kubernetes rolling updates to apply changes with minimal disruption.
Check audit logs: Regularly review and audit admission controller configurations and webhook policies to align with current security standards and organizational policies.
The following CronJob runs daily, analyzing Kubernetes audit logs to identify potential security issues or policy violations:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: audit-log-analysis
spec:
schedule: "0 2 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: log-analyzer
image: log-analyzer:latest
env:
- name: LOG_PATH
value: "/var/log/kubernetes/audit.log"
volumeMounts:
- name: log-volume
mountPath: "/var/log/kubernetes"
restartPolicy: OnFailure
volumes:
- name: log-volume
hostPath:
path: "/var/log/kubernetes"4. Use monitoring and logging
Effective monitoring and logging are essential for tracking admission controller activity, identifying issues, and maintaining compliance.
The following steps can help you do so effectively:
Implement logging for admission stages: Ensure that webhook servers log all admission decisions, including the rationale for rejections. To aggregate and analyze logs, use a centralized logging solution like the Elastic Stack or Grafana Loki.
Set up monitoring and alerts: Use monitoring tools to create dashboards that track admission controller performance and activity and configure alerts for anomalies or operational issues.
The following Fluentd configuration snippet sets up log collection for a webhook server, then forwards logs to an Elasticsearch cluster for centralized logging and analysis:
<source>
@type tail
path /var/log/webhook-server.log
pos_file /var/log/webhook-server.log.pos
tag webhook.logs
<parse>
@type json
</parse>
</source>
<match webhook.logs>
@type elasticsearch
host elasticsearch.logging
port 9200
logstash_format true
logstash_prefix webhook-logs
flush_interval 10s
</match>By following these best practices, organizations can use Kubernetes admission controllers effectively to strengthen cluster security, ensure compliance, and improve operational efficiency. Developers can also get detailed configuration updates on admission controllers from Kubernetes’s docs.
Strengthen your Kubernetes admission control with Wiz
Despite admission controllers’ availability, securing Kubernetes’s control and data plane can still be challenging. As Ofir Cohen, CTO of container security at Wiz, says, “Many developers and DevOps engineers are still playing catch-up with workload identities, and we still see embedded and long-lived secrets leak into container images.”
To start your shift left, adhere to Kubernetes best practices and use a unified cloud security platform to prevent common security issues and delays and improve your Kubernetes cluster’s security posture. Your easiest option for doing so is adopting a platform like Wiz.
Wiz’s Kubernetes admission controller enables organizations to implement a shift-left strategy more effectively and enforce security policies at the deployment stage. Features include:
Fine-grained Kubernetes admission control policies: Wiz provides more targeted and precise control over Kubernetes admission policies. With it, your organization can define specific security policies that block non-compliant deployments, such as preventing highly privileged containers or restricting access to sensitive volumes.
Centralized view of Kubernetes admission review rates: Wiz’s platform offers insights into the admission review process, which allows your team to understand attempted changes and reasons for failures. The following centralized dashboard quickly highlights compliance and security gaps in deployments:
Enhanced event monitoring and custom policy creation: Wiz’s admission controller now generates detailed event logs for every create, update, delete, and connect operation within a cluster. This feature also detects abnormal behavior, such as attempts to delete critical resources or execute kubectl exec commands. Additionally, organizations can configure custom alerts based on event severity to ensure immediate responses to essential issues.
Strong security at deployment: Wiz’s solution prevents untrusted authors from introducing risks by limiting image pulls to specific registries. For example, you can eliminate NodePort risks by denying pods that expose host ports or avoid container breakout attacks by denying pods with root privileges. Your team can also stop DDoS attacks by requiring resource limits.
Visibility and control over admission events: Wiz monitors all admission controller activities to provide transparency into deployment attempts. That way, your team can gain insights into policy violations before they impact your environment and maintain audit trails of all decisions for compliance and security investigations.
Improve your Kubernetes security today
Wiz’s admission controller capabilities represent a major leap in Kubernetes security. The platform provides organizations with the tools to enforce consistent security policies from development to deployment. By integrating these controls into the CI/CD pipeline, developers and security teams can collaborate more effectively, reducing the risk of security breaches and compliance violations.
Interested in leveraging these new capabilities to strengthen your Kubernetes security? Get Wiz’s Kubernetes Security Best Practices Cheat Sheet today to learn how.
Empower your developers, from code to production
Learn why the fastest growing companies trust Wiz to secure Kubernetes from build-time to runtime.
