{"id":179,"date":"2025-05-23T07:04:43","date_gmt":"2025-05-23T07:04:43","guid":{"rendered":"https:\/\/devsecopsschool.com\/blog\/?p=179"},"modified":"2025-05-23T07:04:43","modified_gmt":"2025-05-23T07:04:43","slug":"admission-controllers-in-devsecops-a-comprehensive-tutorial","status":"publish","type":"post","link":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/","title":{"rendered":"Admission Controllers in DevSecOps: A Comprehensive Tutorial"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Introduction &amp; Overview<\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\" alt=\"\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">What are Admission Controllers?<\/h3>\n\n\n\n<p>Admission Controllers are Kubernetes plugins that intercept and process requests to the Kubernetes API server before objects (e.g., pods, deployments) are persisted. They enforce policies, validate configurations, or mutate resources to ensure compliance with organizational standards.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/bqu_AjJEWflNHJQsbZ4p_PcGxsYdvafTICmatHlGKsS3d5JBzIiV7j_JQGAm-Ii7qSAgCyASPBD1jZi-kSQ0Ekb9YmkNCIzAhk3geYeudtHFhBSGLmpV33fDk7KseNzZbuEphF0AleYL7gW20A\" alt=\"\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">History or Background<\/h3>\n\n\n\n<p>Introduced in Kubernetes 1.0 (2015), Admission Controllers have evolved to address growing needs for security and governance in containerized environments. Initially focused on basic validation, they now support dynamic policy enforcement through webhooks, aligning with DevSecOps principles of integrating security into the development lifecycle.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why is it Relevant in DevSecOps?<\/h3>\n\n\n\n<p>In DevSecOps, security is embedded into every phase of the software delivery pipeline. Admission Controllers play a pivotal role by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforcing security policies (e.g., restricting untrusted images).<\/li>\n\n\n\n<li>Automating compliance checks (e.g., ensuring resource limits).<\/li>\n\n\n\n<li>Enabling rapid feedback loops for developers.<\/li>\n\n\n\n<li>Reducing manual security reviews by codifying policies.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Core Concepts &amp; Terminology<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Key Terms and Definitions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validating Admission Controller<\/strong>: Rejects or allows API requests based on predefined rules (e.g., PodSecurityStandards).<\/li>\n\n\n\n<li><strong>Mutating Admission Controller<\/strong>: Modifies API requests before persistence (e.g., injecting sidecar containers).<\/li>\n\n\n\n<li><strong>Webhook<\/strong>: External service called by the Kubernetes API to process admission requests.<\/li>\n\n\n\n<li><strong>Namespace<\/strong>: Logical isolation within a Kubernetes cluster where policies can be applied.<\/li>\n\n\n\n<li><strong>Policy<\/strong>: A rule or set of rules enforced by an Admission Controller.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Term<\/th><th>Definition<\/th><\/tr><\/thead><tbody><tr><td><strong>Mutating Webhook<\/strong><\/td><td>Modifies requests before persistence (e.g., injecting sidecars)<\/td><\/tr><tr><td><strong>Validating Webhook<\/strong><\/td><td>Accepts or rejects requests based on custom logic<\/td><\/tr><tr><td><strong>Admission Webhook<\/strong><\/td><td>External HTTP callback used to validate\/mutate API requests<\/td><\/tr><tr><td><strong>API Server<\/strong><\/td><td>Core Kubernetes component that handles REST requests to the cluster<\/td><\/tr><tr><td><strong>OPA\/Gatekeeper<\/strong><\/td><td>Policy engine for Kubernetes Admission Control, based on Open Policy Agent<\/td><\/tr><tr><td><strong>Kyverno<\/strong><\/td><td>Kubernetes-native policy engine focused on Admission Control<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How It Fits into the DevSecOps Lifecycle<\/h3>\n\n\n\n<p>Admission Controllers integrate into the DevSecOps lifecycle by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Shift-Left Security<\/strong>: Validating configurations during development or CI\/CD.<\/li>\n\n\n\n<li><strong>Automation<\/strong>: Enforcing policies without manual intervention.<\/li>\n\n\n\n<li><strong>Continuous Compliance<\/strong>: Ensuring deployments meet regulatory standards (e.g., PCI-DSS, HIPAA).<\/li>\n\n\n\n<li><strong>Feedback Loop<\/strong>: Providing immediate feedback to developers on policy violations.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#091;Code Commit] --&gt; &#091;CI Build] --&gt; &#091;Admission Controller (Validation)] --&gt; &#091;Deploy to Cluster]\n                                                                            |\n                                                   &#091;Reject or mutate invalid manifests]\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture &amp; How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Components and Internal Workflow<\/h3>\n\n\n\n<p>Admission Controllers operate within the Kubernetes API server\u2019s request processing pipeline:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Authentication and Authorization<\/strong>: The API server verifies the user\u2019s identity and permissions.<\/li>\n\n\n\n<li><strong>Mutation Phase<\/strong>: Mutating controllers modify the resource (e.g., adding labels).<\/li>\n\n\n\n<li><strong>Validation Phase<\/strong>: Validating controllers check the resource against policies.<\/li>\n\n\n\n<li><strong>Persistence<\/strong>: If approved, the resource is saved to etcd.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture Diagram<\/h3>\n\n\n\n<p>The architecture can be visualized as a flowchart. An API request enters the Kubernetes API server, passing through authentication and authorization modules. It then reaches the Admission Controller chain, split into mutating and validating phases. Mutating controllers (e.g., sidecar injectors) modify the request, followed by validating controllers (e.g., OPA Gatekeeper) that enforce policies. If all checks pass, the request is persisted to etcd. External webhooks may be called during either phase to extend functionality.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#091;User\/CI] \n   \u2193\n&#091;API Server]\n   \u2193\n&#091;Mutating Webhook] (e.g., inject sidecar)\n   \u2193\n&#091;Validating Webhook] (e.g., enforce security policies)\n   \u2193\n&#091;etcd \/ Cluster State]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Integration Points with CI\/CD or Cloud Tools<\/h3>\n\n\n\n<p>Admission Controllers integrate with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CI\/CD Pipelines<\/strong>: Tools like Jenkins or GitLab CI\/CD trigger deployments that Admission Controllers validate.<\/li>\n\n\n\n<li><strong>Policy Engines<\/strong>: Open Policy Agent (OPA) or Kyverno for dynamic policy enforcement.<\/li>\n\n\n\n<li><strong>Cloud Providers<\/strong>: AWS, Azure, or GCP Kubernetes services use Admission Controllers for cloud-specific policies.<\/li>\n\n\n\n<li><strong>Observability Tools<\/strong>: Prometheus or Grafana to monitor policy violations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installation &amp; Getting Started<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Basic Setup or Prerequisites<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes cluster (v1.16+ recommended).<\/li>\n\n\n\n<li>Admin access to the cluster.<\/li>\n\n\n\n<li>Familiarity with YAML and kubectl.<\/li>\n\n\n\n<li>Optional: Policy engine like OPA Gatekeeper or Kyverno.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hands-on: Step-by-Step Beginner-Friendly Setup Guide<\/h3>\n\n\n\n<p>This guide sets up OPA Gatekeeper as an Admission Controller to enforce a policy that restricts container images to a trusted registry.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Install OPA Gatekeeper<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   kubectl apply -f https:\/\/raw.githubusercontent.com\/open-policy-agent\/gatekeeper\/release-3.9\/deploy\/gatekeeper.yaml<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Verify Installation<\/strong>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   kubectl get pods -n gatekeeper-system<\/code><\/pre>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Create a Constraint Template<\/strong>:<br>Save the following as <code>trusted-registry.yaml<\/code>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   apiVersion: templates.gatekeeper.sh\/v1\n   kind: ConstraintTemplate\n   metadata:\n     name: k8strustedregistry\n   spec:\n     crd:\n       spec:\n         names:\n           kind: K8sTrustedRegistry\n     targets:\n       - target: admission.k8s.gatekeeper.sh\n         rego:\n           code: |\n             package k8strustedregistry\n             violation&#091;{\"msg\": msg}] {\n               container := input.review.object.spec.containers&#091;_]\n               not startswith(container.image, \"docker.io\/\")\n               msg := sprintf(\"Container image %v is not from trusted registry\", &#091;container.image])\n             }<\/code><\/pre>\n\n\n\n<p>Apply it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>   kubectl apply -f trusted-registry.yaml<\/code><\/pre>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Create a Constraint<\/strong>:<br>Save the following as <code>constraint.yaml<\/code>:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   apiVersion: constraints.gatekeeper.sh\/v1\n   kind: K8sTrustedRegistry\n   metadata:\n     name: trusted-registry\n   spec:\n     match:\n       kinds:\n         - apiGroups: &#091;\"\"]\n           kinds: &#091;\"Pod\"]<\/code><\/pre>\n\n\n\n<p>Apply it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>   kubectl apply -f constraint.yaml<\/code><\/pre>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Test the Policy<\/strong>:<br>Try deploying a pod with an untrusted image:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>   kubectl run nginx --image=nginx:latest<\/code><\/pre>\n\n\n\n<p>This should fail with an error indicating the image is not from <code>docker.io<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Use Cases<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforcing Trusted Image Registries<\/strong>: A financial institution uses Admission Controllers to ensure all container images come from a private, vetted registry, aligning with PCI-DSS compliance.<\/li>\n\n\n\n<li><strong>Resource Limit Enforcement<\/strong>: A SaaS provider uses a mutating Admission Controller to automatically inject CPU and memory limits into pods, preventing resource abuse.<\/li>\n\n\n\n<li><strong>Namespace-Based Policies<\/strong>: A healthcare organization enforces HIPAA-compliant configurations by restricting sensitive workloads to specific namespaces.<\/li>\n\n\n\n<li><strong>Sidecar Injection<\/strong>: An e-commerce platform uses a mutating Admission Controller to inject logging sidecars into every pod for centralized monitoring.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Benefits &amp; Limitations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Key Advantages<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automation<\/strong>: Reduces manual security checks.<\/li>\n\n\n\n<li><strong>Scalability<\/strong>: Applies policies cluster-wide.<\/li>\n\n\n\n<li><strong>Flexibility<\/strong>: Supports custom policies via webhooks.<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: Aligns with regulatory standards.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common Challenges or Limitations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Complexity<\/strong>: Writing and testing policies (e.g., Rego for OPA) can be complex.<\/li>\n\n\n\n<li><strong>Performance<\/strong>: Multiple controllers may increase API latency.<\/li>\n\n\n\n<li><strong>Debugging<\/strong>: Policy violations can be hard to troubleshoot without proper logging.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices &amp; Recommendations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Tips<\/strong>: Use least privilege for webhook services and encrypt communications.<\/li>\n\n\n\n<li><strong>Performance<\/strong>: Limit the number of active Admission Controllers to reduce latency.<\/li>\n\n\n\n<li><strong>Maintenance<\/strong>: Regularly update policy definitions and test in a staging environment.<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: Align policies with standards like NIST or ISO 27001.<\/li>\n\n\n\n<li><strong>Automation<\/strong>: Integrate with CI\/CD for policy-as-code workflows.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Comparison with Alternatives<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>Admission Controllers<\/th><th>Kyverno<\/th><th>PodSecurityPolicy (Deprecated)<\/th><\/tr><\/thead><tbody><tr><td>Policy Enforcement<\/td><td>Validating &amp; Mutating<\/td><td>Validating &amp; Mutating<\/td><td>Validating Only<\/td><\/tr><tr><td>Ease of Use<\/td><td>Moderate (Webhook setup)<\/td><td>High (YAML-based)<\/td><td>Low (Complex config)<\/td><\/tr><tr><td>Extensibility<\/td><td>High (Custom webhooks)<\/td><td>High (Custom policies)<\/td><td>Low (Fixed rules)<\/td><\/tr><tr><td>Maintenance<\/td><td>Moderate<\/td><td>Low<\/td><td>High (Deprecated)<\/td><\/tr><tr><td>When to Choose<\/td><td>Custom policies, webhooks<\/td><td>Simple YAML policies<\/td><td>Legacy clusters<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Use Admission Controllers for flexible, webhook-based policy enforcement. Choose Kyverno for simpler, YAML-based policies, especially in smaller clusters.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Admission Controllers are a cornerstone of DevSecOps in Kubernetes, enabling automated security and compliance at scale. As Kubernetes adoption grows, their role in enforcing policies will expand, with trends like AI-driven policy optimization on the horizon. To get started, explore the official Kubernetes documentation (https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/admission-controllers\/) and join communities like the Kubernetes Slack or CNCF forums.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction &amp; Overview What are Admission Controllers? Admission Controllers are Kubernetes plugins that intercept and process requests to the Kubernetes API server before objects (e.g., pods, deployments) are persisted. They enforce policies, validate configurations, or mutate resources to ensure compliance with organizational standards. History or Background Introduced in Kubernetes 1.0 (2015), Admission Controllers have evolved &#8230; <a title=\"Admission Controllers in DevSecOps: A Comprehensive Tutorial\" class=\"read-more\" href=\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\" aria-label=\"Read more about Admission Controllers in DevSecOps: A Comprehensive Tutorial\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-179","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School\" \/>\n<meta property=\"og:description\" content=\"Introduction &amp; Overview What are Admission Controllers? Admission Controllers are Kubernetes plugins that intercept and process requests to the Kubernetes API server before objects (e.g., pods, deployments) are persisted. They enforce policies, validate configurations, or mutate resources to ensure compliance with organizational standards. History or Background Introduced in Kubernetes 1.0 (2015), Admission Controllers have evolved ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\" \/>\n<meta property=\"og:site_name\" content=\"DevSecOps School\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-23T07:04:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\" \/>\n<meta name=\"author\" content=\"pritesh k\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"pritesh k\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\"},\"author\":{\"name\":\"pritesh k\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\"},\"headline\":\"Admission Controllers in DevSecOps: A Comprehensive Tutorial\",\"datePublished\":\"2025-05-23T07:04:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\"},\"wordCount\":984,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\",\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\",\"name\":\"Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School\",\"isPartOf\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\",\"datePublished\":\"2025-05-23T07:04:43+00:00\",\"author\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\"},\"breadcrumb\":{\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage\",\"url\":\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\",\"contentUrl\":\"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/devsecopsschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Admission Controllers in DevSecOps: A Comprehensive Tutorial\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#website\",\"url\":\"https:\/\/devsecopsschool.com\/blog\/\",\"name\":\"DevSecOps School\",\"description\":\"DevSecOps Redefined\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6\",\"name\":\"pritesh k\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g\",\"caption\":\"pritesh k\"},\"url\":\"https:\/\/devsecopsschool.com\/blog\/author\/priteshgeek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/","og_locale":"en_US","og_type":"article","og_title":"Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School","og_description":"Introduction &amp; Overview What are Admission Controllers? Admission Controllers are Kubernetes plugins that intercept and process requests to the Kubernetes API server before objects (e.g., pods, deployments) are persisted. They enforce policies, validate configurations, or mutate resources to ensure compliance with organizational standards. History or Background Introduced in Kubernetes 1.0 (2015), Admission Controllers have evolved ... Read more","og_url":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/","og_site_name":"DevSecOps School","article_published_time":"2025-05-23T07:04:43+00:00","og_image":[{"url":"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg","type":"","width":"","height":""}],"author":"pritesh k","twitter_card":"summary_large_image","twitter_misc":{"Written by":"pritesh k","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#article","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/"},"author":{"name":"pritesh k","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6"},"headline":"Admission Controllers in DevSecOps: A Comprehensive Tutorial","datePublished":"2025-05-23T07:04:43+00:00","mainEntityOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/"},"wordCount":984,"commentCount":0,"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg","inLanguage":"en","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/","url":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/","name":"Admission Controllers in DevSecOps: A Comprehensive Tutorial - DevSecOps School","isPartOf":{"@id":"https:\/\/devsecopsschool.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage"},"image":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage"},"thumbnailUrl":"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg","datePublished":"2025-05-23T07:04:43+00:00","author":{"@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6"},"breadcrumb":{"@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/"]}]},{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#primaryimage","url":"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg","contentUrl":"https:\/\/sysdig.com\/wp-content\/uploads\/Kubernetes-Admission-controllers-01-flow-diagram.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/devsecopsschool.com\/blog\/admission-controllers-in-devsecops-a-comprehensive-tutorial\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/devsecopsschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Admission Controllers in DevSecOps: A Comprehensive Tutorial"}]},{"@type":"WebSite","@id":"https:\/\/devsecopsschool.com\/blog\/#website","url":"https:\/\/devsecopsschool.com\/blog\/","name":"DevSecOps School","description":"DevSecOps Redefined","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/devsecopsschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/7e884a8b201ba380e56441154dbedbc6","name":"pritesh k","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/devsecopsschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/231a0e8b7a02636f2fbacf8dcf4494cb1cc0d49ecc9a8165fbaeaeeaf102641a?s=96&d=mm&r=g","caption":"pritesh k"},"url":"https:\/\/devsecopsschool.com\/blog\/author\/priteshgeek\/"}]}},"_links":{"self":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":1,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"predecessor-version":[{"id":184,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/179\/revisions\/184"}],"wp:attachment":[{"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devsecopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}