Admission Controllers: Validating and Mutating

Authentication passes. Authorization passes. The Pod still gets rejected. Something between the API server's authorization layer and etcd said no. That something is admission control.

Admission controllers are the final enforcement point in the Kubernetes request lifecycle. Every create, update, or delete passes through them after authentication and authorization, but before the object is persisted to etcd. Built-in controllers enforce Kubernetes invariants: defaulting service accounts, enforcing quotas, applying Pod Security Standards. Policy engines like OPA Gatekeeper and Kyverno extend that gate with organization-specific security rules. And since Kubernetes v1.30, ValidatingAdmissionPolicy lets you write CEL-based validation rules directly in the API, with no webhook server to operate.