Inferensys

Glossary

Admission Controller

A Kubernetes-native plug-in that intercepts authenticated API requests to the cluster, enforcing custom security policies and validations before objects are persisted and executed.
ML engineer developing custom LLM, model architecture diagrams on screens, technical deep work environment.
KUBERNETES SECURITY

What is an Admission Controller?

An admission controller is a Kubernetes-native plug-in that intercepts authenticated API requests to the cluster, enforcing custom security policies and validations before objects are persisted and executed.

An admission controller is a piece of code that intercepts requests to the Kubernetes API server after authentication and authorization, but before the object is persisted to etcd. It acts as a final gatekeeper, allowing cluster administrators to enforce custom security policies, validate resource configurations, and mutate incoming objects to meet organizational standards. This mechanism is critical for ML pipeline security hardening, preventing the deployment of containers that violate security contexts or lack required labels.

There are two primary types: mutating and validating admission controllers. Mutating controllers can modify the object, such as injecting a sidecar proxy or adding a seccomp profile, while validating controllers strictly accept or deny the request based on defined rules. Frameworks like the Open Policy Agent (OPA) leverage admission webhooks to apply Policy as Code, ensuring that every pod, deployment, and service complies with the cluster's security posture before execution.

KUBERNETES SECURITY GATEKEEPERS

Key Characteristics of Admission Controllers

Admission controllers are the last line of defense in the Kubernetes API request lifecycle, intercepting authenticated requests before objects are persisted to etcd. They enforce custom security policies, validate configurations, and mutate resources to meet organizational standards.

01

Intercept Every API Request

Admission controllers sit in the critical path between authentication/authorization and object persistence. They inspect every create, update, and delete request to the API server, providing a centralized enforcement point for security policies. This includes requests from users, service accounts, and internal controllers. The webhook call is a synchronous HTTPS request, meaning the API server blocks until the admission controller responds, making latency a critical design consideration.

< 1 sec
Typical Webhook Timeout
02

Mutating vs. Validating Phases

The admission process runs in two distinct phases. Mutating admission controllers run first and can modify objects—injecting sidecar proxies, adding default labels, or setting resource limits. Validating admission controllers run second and can only accept or reject requests. This ordering ensures that validators inspect the final, mutated object. A common pattern is using a mutating webhook to inject an Istio sidecar, followed by a validating webhook to enforce that all pods have a sidecar present.

04

Object Selector Scoping

To minimize latency and reduce the blast radius of misconfigured webhooks, admission controllers support fine-grained scoping via objectSelector and namespaceSelector fields. These use Kubernetes label selectors to target only specific namespaces or objects. For example, a security policy for PCI-compliant workloads can be scoped to namespaceSelector: matchLabels: { compliance: pci }, ensuring non-sensitive workloads are never blocked by the webhook.

05

Built-in vs. External Controllers

Kubernetes ships with over 30 built-in admission controllers compiled into the API server binary, including PodSecurity, ResourceQuota, and LimitRanger. External controllers run as separate services and communicate via webhooks. Built-in controllers are always available and have zero network latency, but external controllers offer greater flexibility and can integrate with third-party policy engines like Open Policy Agent (OPA) or Kyverno.

ADMISSION CONTROLLER INSIGHTS

Frequently Asked Questions

Explore the core concepts of Kubernetes admission controllers, the critical gatekeepers that enforce security and compliance policies before objects are persisted to the cluster.

An Admission Controller is a piece of code that intercepts authenticated API requests to the Kubernetes API server before an object is persisted to etcd, but after the request has been authenticated and authorized. It acts as a final gatekeeper, allowing you to enforce custom security policies, validate configurations, and mutate resource definitions. The process works in two distinct phases: the Mutating Admission phase, where controllers can modify the incoming object to inject default values or sidecars, and the Validating Admission phase, where controllers can accept or reject the request based on complex logic. If any validating controller rejects the request, the object is never stored, and the user receives an error. This mechanism is fundamental to ML Pipeline Security Hardening, ensuring that only compliant, secure pods and deployments are instantiated in your cluster.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.