An admission controller is a compiled plugin or webhook that intercepts requests to the Kubernetes API server after authentication and authorization, but before the object is persisted to etcd. It acts as a policy enforcement gate, capable of mutating incoming objects to inject default values or sidecar containers, or validating requests to reject non-compliant specifications outright. This two-phase architecture—mutating then validating—ensures that every resource, from a Pod to a CustomResourceDefinition, conforms to organizational security and operational standards before execution.
Glossary
Admission Controller

What is an Admission Controller?
An admission controller is a piece of code that intercepts authenticated requests to the Kubernetes API server before object persistence, enabling policy-based mutation or rejection of resources.
Admission controllers are fundamental to tamper-proof model registries in sovereign AI infrastructure, where they enforce immutable tagging and signature verification on OCI artifacts. By integrating with Open Policy Agent (OPA) or the ValidatingAdmissionPolicy API, they can cryptographically verify Sigstore attestations and reject deployments lacking a valid Software Bill of Materials (SBOM). This guarantees that only models with proven provenance and integrity ever reach a production node, closing a critical supply chain gap.
Key Features of Admission Controllers
Admission controllers are critical security and governance plugins that intercept all requests to the Kubernetes API server after authentication and authorization, enabling dynamic policy enforcement, resource mutation, and compliance validation before any object is persisted to etcd.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to common questions about admission controllers, their role in Kubernetes security, and how they enforce policy in sovereign AI infrastructure.
An admission controller is a piece of code that intercepts authenticated and authorized requests to the Kubernetes API server before objects are persisted to etcd. It acts as a final gatekeeper in the API request lifecycle, sitting after authentication and authorization but before the object is stored. Admission controllers can perform three types of operations: validating (accepting or rejecting a request based on policy rules), mutating (modifying the request object, such as injecting default values or sidecar containers), or both. They are compiled into the kube-apiserver binary or deployed as external webhooks via the ValidatingWebhookConfiguration and MutatingWebhookConfiguration resources. This extensible architecture allows platform teams to enforce custom policies—such as requiring specific labels, blocking privileged containers, or injecting SBOM attestations—without modifying core Kubernetes source code. In sovereign AI infrastructure, admission controllers are critical for enforcing data residency constraints, ensuring only signed model images from a private container registry are deployed, and preventing workloads from running on unauthorized nodes.
Related Terms
Admission controllers are one component in a broader cloud-native security architecture. These related concepts form the complete policy enforcement and integrity verification stack.
ValidatingAdmissionWebhook
A Kubernetes API mechanism that calls an external service to validate a request before it is persisted. Unlike mutating webhooks, these cannot modify the object—only accept or reject.
- The API server sends a JSON
AdmissionReviewto the webhook endpoint - The webhook must respond within a configurable timeout (default 10 seconds)
- Failure policies (
IgnoreorFail) determine behavior when the webhook is unreachable
MutatingAdmissionWebhook
A webhook that intercepts API requests and can modify the object before persistence. Commonly used to inject sidecar containers, set default values, or add labels automatically.
- Executed before validating webhooks in the admission chain
- Must return a JSON patch describing the modifications
- Requires careful design to avoid infinite mutation loops via
reinvocationPolicy
Pod Security Admission (PSA)
A built-in admission controller that enforces Pod Security Standards at the namespace level. Replaces the deprecated PodSecurityPolicy (PSP) with a simpler, label-driven model.
- Three policy levels: privileged, baseline, and restricted
- Enforced via namespace labels:
pod-security.kubernetes.io/enforce - Supports audit and warn modes for gradual rollout without breaking workloads
Dynamic Admission Control
The extensible architecture that allows admission webhooks to be registered and modified at runtime without recompiling the API server. Contrasts with built-in admission plugins that are compiled into kube-apiserver.
- Webhooks are registered via
ValidatingWebhookConfigurationorMutatingWebhookConfigurationresources - Supports object selector rules to filter which resources trigger the webhook
- Requires TLS certificates for secure communication between the API server and webhook

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us