Build fluency in the vocabulary of enforcing a custom cluster policy at resource admission time.
0 / 5 completed
1 / 5
At standup, a dev mentions the Kubernetes API server calling out to an external HTTP endpoint to approve or reject a resource before it's persisted, rather than relying only on its own built-in checks. What is this mechanism called?
An admission webhook has the Kubernetes API server call out to an external HTTP endpoint to approve or reject a resource before it's persisted, extending validation and defaulting behavior beyond the API server's own built-in checks. Persisting every submitted resource immediately, with no external endpoint consulted, leaves no room for a cluster-specific policy the built-in checks don't cover. This external call is what lets a cluster enforce a custom, organization-specific rule at admission time.
2 / 5
During a design review, the team wants a webhook that can reject a non-compliant resource outright, distinct from one that can only modify a resource's fields before it's persisted. Which capability supports this?
The distinction between a validating webhook, which can only accept or reject a resource, and a mutating webhook, which can modify a resource's fields before it's persisted, gives the admission chain two clearly separated roles. Using one undifferentiated webhook type for both purposes blurs a policy decision with a defaulting or injection behavior, making the admission chain harder to reason about. This distinction is fundamental to how Kubernetes structures its admission control pipeline.
3 / 5
In a code review, a dev notices the webhook configuration specifies a failure policy determining whether the API server should reject a resource or let it through if the webhook itself becomes unreachable. What does this represent?
The webhook failure policy determines whether the API server should reject a resource or let it through if the webhook itself becomes unreachable, giving the cluster operator an explicit choice between fail-closed safety and fail-open availability. Configuring a webhook with no failure policy at all leaves that critical behavior undefined right when it matters most, during an outage of the webhook itself. This policy is essential to reasoning about a cluster's behavior if an admission webhook ever goes down.
4 / 5
An incident report shows the entire cluster was unable to create any new resource for several minutes because a validating webhook's backing service went down and its failure policy was set to reject on failure. What practice would prevent this?
Running the webhook service with high availability, and choosing a failure policy that actually matches how critical its check is, prevents a webhook outage from stalling every resource creation across the entire cluster. Running a single, non-redundant instance with a fail-closed policy and no regard for its own availability is exactly what caused the outage this incident describes. This combination of resilience and a deliberately chosen failure policy is essential for any webhook sitting in the cluster's critical admission path.
5 / 5
During a PR review, a teammate asks why the team enforces a custom policy through an admission webhook instead of relying only on the API server's own built-in validation. What is the reasoning?
The API server's built-in validation doesn't know about an organization-specific rule, like requiring every Pod to carry a particular label or forbidding a container from running as root. An admission webhook can enforce exactly that custom policy at the moment a resource is submitted, before it's ever persisted. The tradeoff is the added operational responsibility of keeping the webhook's own service highly available, since it now sits in the critical path of every resource submission it's configured to intercept.