Kubernetes Admission Controllers & Policy

How admission controllers enforce cluster policies: OPA/Gatekeeper, Kyverno, and Pod Security Standards.

~1 min read

Be the first to complete!

What you'll learn

Mutating webhooks: modify requests before persist (sidecar injection)
Validating webhooks: enforce policy (reject non-compliant resources)
OPA/Gatekeeper or Kyverno for custom policy-as-code

Admission Controller Types

Mutating admission controllers modify incoming requests (e.g. inject sidecar, add default resource limits). Validating admission controllers accept/reject requests based on policy. OPA/Gatekeeper and Kyverno implement both. Pod Security Standards (Baseline, Restricted) are built-in validating policies.

Key takeaways

Mutating webhooks: modify requests before persist (sidecar injection)
Validating webhooks: enforce policy (reject non-compliant resources)
OPA/Gatekeeper or Kyverno for custom policy-as-code

Related concepts

Explore topics that connect to this one.

Suggested next

Often learned after this topic.

secrets encryption vault

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Continue learning

secrets encryption vault

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

Kubernetes Admission Controllers & Policy

Admission Controller Types

Discussion

In-app Q&A

Kubernetes Admission Controllers & Policy

Admission Controller Types

Discussion

In-app Q&A