Kubernetes admission control

How admission control works

When a client runs kubectl apply, the request hits the API server and flows through authentication → authorization → mutating admission → object schema validation → validating admission → persistence to etcd. An admission webhook that rejects the request blocks the entire create or update.

Webhooks are registered via ValidatingWebhookConfiguration or MutatingWebhookConfiguration resources. When a matching request arrives, the API server POSTs the object to the webhook URL. The webhook responds with {allowed: true|false, patches: [...]}.

Built-in admission controllers

Kubernetes ships with several built-in controllers including NamespaceLifecycle, ResourceQuota, and PodSecurity (the successor to PodSecurityPolicy). Pod Security Standards enforcement via the built-in PodSecurity controller is a practical first step for blocking privileged pods.

OPA Gatekeeper, Kyverno, and custom webhooks

OPA Gatekeeper uses Rego policies and integrates with the broader Open Policy Agent ecosystem. Powerful, with a learning curve.

Kyverno uses native YAML policies, so no new language is required. Easier onboarding, slightly less flexible for complex logic.

Custom webhooks (Go, Python, etc.) give maximum flexibility at the cost of maintenance.

Juliet includes a bundled admission controller that ships with a set of production-ready policies and supports custom Rego for Enterprise customers.

What to enforce with admission

• Block containers running as root or with allowPrivilegeEscalation: true.
• Require resource limits on every container.
• Block hostPath mounts outside a narrow allowlist.
• Require images only from approved registries.
• Block pods without liveness or readiness probes in production namespaces.
• Require Pod Security Standards baseline (or restricted) on every namespace.
• Block creation of RoleBindings or ClusterRoleBindings that grant cluster-admin.