Inferensys

Glossary

Admission Controller

A piece of code that intercepts requests to the Kubernetes API server after authentication and authorization, and can modify or reject the request based on custom policies.
Knowledge engineer constructing knowledge base on laptop, document hierarchy visible, casual office setup.
KUBERNETES SECURITY

What is an Admission Controller?

An admission controller is a piece of code that intercepts authenticated requests to the Kubernetes API server before object persistence, enabling policy-based mutation or rejection of resources.

An admission controller is a compiled plugin or webhook that intercepts requests to the Kubernetes API server after authentication and authorization, but before the object is persisted to etcd. It acts as a policy enforcement gate, capable of mutating incoming objects to inject default values or sidecar containers, or validating requests to reject non-compliant specifications outright. This two-phase architecture—mutating then validating—ensures that every resource, from a Pod to a CustomResourceDefinition, conforms to organizational security and operational standards before execution.

Admission controllers are fundamental to tamper-proof model registries in sovereign AI infrastructure, where they enforce immutable tagging and signature verification on OCI artifacts. By integrating with Open Policy Agent (OPA) or the ValidatingAdmissionPolicy API, they can cryptographically verify Sigstore attestations and reject deployments lacking a valid Software Bill of Materials (SBOM). This guarantees that only models with proven provenance and integrity ever reach a production node, closing a critical supply chain gap.

KUBERNETES POLICY ENFORCEMENT

Key Features of Admission Controllers

Admission controllers are critical security and governance plugins that intercept all requests to the Kubernetes API server after authentication and authorization, enabling dynamic policy enforcement, resource mutation, and compliance validation before any object is persisted to etcd.

KUBERNETES SECURITY

Frequently Asked Questions

Clear answers to common questions about admission controllers, their role in Kubernetes security, and how they enforce policy in sovereign AI infrastructure.

An admission controller is a piece of code that intercepts authenticated and authorized requests to the Kubernetes API server before objects are persisted to etcd. It acts as a final gatekeeper in the API request lifecycle, sitting after authentication and authorization but before the object is stored. Admission controllers can perform three types of operations: validating (accepting or rejecting a request based on policy rules), mutating (modifying the request object, such as injecting default values or sidecar containers), or both. They are compiled into the kube-apiserver binary or deployed as external webhooks via the ValidatingWebhookConfiguration and MutatingWebhookConfiguration resources. This extensible architecture allows platform teams to enforce custom policies—such as requiring specific labels, blocking privileged containers, or injecting SBOM attestations—without modifying core Kubernetes source code. In sovereign AI infrastructure, admission controllers are critical for enforcing data residency constraints, ensuring only signed model images from a private container registry are deployed, and preventing workloads from running on unauthorized nodes.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.