Admission Controller Vocabulary — Kubernetes Policy
Practice the precise vocabulary used when configuring and communicating about Kubernetes admission controllers: mutating vs. validating webhooks, policy enforcement decisions, OPA Gatekeeper language, and how to explain a rejected workload to a teammate.
Vocabulary Reference
- admission controller
- A Kubernetes API server plug-in that intercepts requests before they are persisted — can mutate (modify) or validate (accept/reject) resources.
- mutating webhook
- An admission webhook that modifies the incoming resource object before it is stored — e.g., injecting a sidecar, adding default labels, or setting a default security context.
- validating webhook
- An admission webhook that only accepts or rejects a resource — it cannot modify it. Called after mutating webhooks in the admission chain.
- policy enforcement
- The act of blocking or modifying a resource request because it violates a defined policy rule.
- OPA Gatekeeper
- A Kubernetes-native OPA integration that uses ConstraintTemplates (Rego) and Constraint resources (YAML) to enforce policy via validating admission webhooks.
- "the pod was rejected because"
- Standard phrasing when explaining an admission denial: "The pod was rejected because the image does not come from the approved registry."