pod admission controllers & webhooks


2 min read

Pod admission controllers and webhooks are both mechanisms in Kubernetes for intercepting and controlling requests related to pod creation, modification, and deletion, but they operate at different levels and serve different purposes.

pod admission controllerwebhooks
Pod admission controllers are built-in components of the Kubernetes API server that intercept requests to create, modify, or delete pods and apply custom logic to these requests before they are allowed to proceedWebhooks in Kubernetes are triggered by specific events, such as pod creation or modification.
Pod admission controllers in Kubernetes are not explicitly categorized in the same way as webhooksadmission webhooks ----(validating and mutating) AND audit webhooks
Pod admission controllers are executed within the Kubernetes API server itself, and they operate synchronously during the admission process.Webhooks, particularly admission webhooks, come into play when organizations require policy enforcement or validation logic that cannot be implemented synchronously within the Kubernetes API server.
Use pod admission controllers for policy enforcement that can be implemented synchronously within the Kubernetes API server.Webhooks operate asynchronously,ie. they are triggered when its needed / mentioned by integrating with external services also.Webhooks operate asynchronously, meaning they receive admission requests over HTTP, process them externally, and return responses indicating whether requests should be allowed, denied, or modified
Pod admission controllers enforce policies on pod creation requests in real-time, ensuring that pods adhere to defined constraints or requirements before being admitted to the cluster.mutate pod specifications before they are persisted to the cluster, allowing for tasks like injecting sidecar containers or adding default settings.

PS:- WE cannot create pod admission controllers , they come by default in cluster

we can create custom pod admission controllers like webhooks (validating admission webhooks and mutating admission webhooks)

and also external controllers like OPA gatekeepr and kyverno

validating admission webhooks focus on validating admission requests against predefined policies, while mutating admission webhooks focus on modifying admission requests to enforce standard configurations or apply custom adjustments.