Admission controllers
Intro
An Admission Controller checks incoming requests to the API server for validity after they have been authenticated and authorized. Kubernetes got many different built in Admission Controllers, which perform different tasks. These are already compiled in the kube-apiserver binary, but must be enabled to function within a Kubernetes cluster. If an API request is blocked by an Admission Controller, the user will receive an error message.
Analogy
Imagine you're going to a fancy party and the host wants to make sure everyone is dressed appropriately. So they have a special person standing at the door checking everyone's outfit. This person is called a "dress code controller".
In the same way, Kubernetes has a "controller" that checks if any new applications (like guests at a party) meet certain requirements before they can enter the cluster (the party). This is called an "admission controller".
Type of Admission controllers
There are several different types of admission controllers in Kubernetes, each with its own specific use case. For example:
The Mutating Admission Webhook can modify incoming objects before they're admitted to the cluster. For example, it could automatically inject a sidecar container into a pod to add additional functionality.
The Validating Admission Webhook can reject objects that don't meet specific criteria. For example, it could ensure that all containers in a pod are running with non-root privileges to reduce the risk of a security breach.
A complete list of all Admission Controllers and more information can be found here.
An exhibit of Admission Controller
Practice scenarios
NodeRestriction Admission controller - Killer.sh (no need of local cluster)
KodeKloud - Challenge #2 (no need of local cluster)
Additional resource
blog article by Slack of Admission controllers with example.
Github repo to block containers from running with root user (Validating admission controller)
OPA (Open Policy Agent) - Midum article
Dynamic web-hook demo - Github