Back
Interactive Explainer

Kubernetes Admission Controllers & Policy

How admission controllers enforce cluster policies: OPA/Gatekeeper, Kyverno, and Pod Security Standards.

🎯Key Takeaways
Mutating webhooks: modify requests before persist (sidecar injection)
Validating webhooks: enforce policy (reject non-compliant resources)
OPA/Gatekeeper or Kyverno for custom policy-as-code

Kubernetes Admission Controllers & Policy

How admission controllers enforce cluster policies: OPA/Gatekeeper, Kyverno, and Pod Security Standards.

~1 min read
Be the first to complete!
What you'll learn
  • Mutating webhooks: modify requests before persist (sidecar injection)
  • Validating webhooks: enforce policy (reject non-compliant resources)
  • OPA/Gatekeeper or Kyverno for custom policy-as-code

Admission Controller Types

Mutating admission controllers modify incoming requests (e.g. inject sidecar, add default resource limits). Validating admission controllers accept/reject requests based on policy. OPA/Gatekeeper and Kyverno implement both. Pod Security Standards (Baseline, Restricted) are built-in validating policies.

Key takeaways

  • Mutating webhooks: modify requests before persist (sidecar injection)
  • Validating webhooks: enforce policy (reject non-compliant resources)
  • OPA/Gatekeeper or Kyverno for custom policy-as-code

Related concepts

Explore topics that connect to this one.

Suggested next

Often learned after this topic.

secrets encryption vault

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Sign in to track your progress and mark lessons complete.

Continue learning

secrets encryption vault

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

In-app Q&A

Sign in to start or join a thread.