Edit This Page

Dynamic Admission Control

The admission controllers documentation introduces how to use standard, plugin-style admission controllers. However, plugin admission controllers are not flexible enough for all use cases, due to the following:

Admission Webhooks (beta in 1.9) addresses these limitations. It allows admission controllers to be developed out-of-tree and configured at runtime.

This page describes how to use Admission Webhooks.

What are admission webhooks?

Admission webhooks are HTTP callbacks that receive admission requests and do something with them. You can define two types of admission webhooks, validating admission Webhook and mutating admission webhook. With validating admission Webhooks, you may reject requests to enforce custom admission policies. With mutating admission Webhooks, you may change requests to enforce custom defaults.

Experimenting with admission webhooks

Admission webhooks are essentially part of the cluster control-plane. You should write and deploy them with great caution. Please read the user guides for instructions if you intend to write/deploy production-grade admission webhooks. In the following, we describe how to quickly experiment with admission webhooks.


Write an admission webhook server

Please refer to the implementation of the admission webhook server that is validated in a Kubernetes e2e test. The webhook handles the admissionReview requests sent by the apiservers, and sends back its decision wrapped in admissionResponse.

the admissionReview request can have different versions (e.g. v1beta1 or v1 in a future version). The webhook can define what version they accept using admissionReviewVersions field. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If the webhook configuration has already been persisted, calls to the webhook will fail and be subject to the failure policy.

The example admission webhook server leaves the ClientAuth field empty, which defaults to NoClientCert. This means that the webhook server does not authenticate the identity of the clients, supposedly apiservers. If you need mutual TLS or other ways to authenticate the clients, see how to authenticate apiservers.

Deploy the admission webhook service

The webhook server in the e2e test is deployed in the Kubernetes cluster, via the deployment API. The test also creates a service as the front-end of the webhook server. See code.

You may also deploy your webhooks outside of the cluster. You will need to update your webhook client configurations accordingly.

Configure admission webhooks on the fly

You can dynamically configure what resources are subject to what admission webhooks via ValidatingWebhookConfiguration or MutatingWebhookConfiguration.

The following is an example validatingWebhookConfiguration, a mutating webhook configuration is similar.

kind: ValidatingWebhookConfiguration
  name: <name of this configuration object>
- name: <webhook name, e.g.,>
  - apiGroups:
    - ""
    - v1
    - CREATE
    - pods
    scope: "Namespaced"
      namespace: <namespace of the front-end service>
      name: <name of the front-end service>
    caBundle: <pem encoded ca cert that signs the server cert used by the webhook>
  - v1beta1
  timeoutSeconds: 1

The scope field specifies if only cluster-scoped resources (“Cluster”) or namespace-scoped resources (“Namespaced”) will match this rule. “*” means that there are no scope restrictions.

Note: When using clientConfig.service, the server cert must be valid for <svc_name>.<svc_namespace>.svc.
Note: Default timeout for a webhook call is 30 seconds but starting in kubernetes 1.14 you can set the timeout and it is encouraged to use a very small timeout for webhooks. If the webhook call times out, the request is handled according to the webhook’s failure policy.

When an apiserver receives a request that matches one of the rules, the apiserver sends an admissionReview request to webhook as specified in the clientConfig.

After you create the webhook configuration, the system will take a few seconds to honor the new configuration.

Authenticate apiservers

If your admission webhooks require authentication, you can configure the apiservers to use basic auth, bearer token, or a cert to authenticate itself to the webhooks. There are three steps to complete the configuration.

kind: AdmissionConfiguration
- name: ValidatingAdmissionWebhook
    kind: WebhookAdmission
    kubeConfigFile: <path-to-kubeconfig-file>
- name: MutatingAdmissionWebhook
    kind: WebhookAdmission
    kubeConfigFile: <path-to-kubeconfig-file>

The schema of admissionConfiguration is defined here.

apiVersion: v1
kind: Config
# DNS name of webhook service, i.e., <service name>.<namespace>.svc, or the URL
# of the webhook server.
- name: 'webhook1.ns1.svc'
    client-certificate-data: <pem encoded certificate>
    client-key-data: <pem encoded key>
# The `name` supports using * to wildmatch prefixing segments.
- name: '*'
    password: <password>
    username: <name>
# '*' is the default match.
- name: '*'
    token: <token>

Of course you need to set up the webhook server to handle these authentications.