Home Explore Blog CI



kubernetes
1st chunk of `content/en/blog/_posts/2018-01-00-Extensible-Admission-Is-Beta.md`
848161f89c7cf40bf201040e0acdc2c5cbfb4ed8c60c028e0000000100000938
---
title: "Extensible Admission is Beta"
date: 2018-01-11
slug: extensible-admission-is-beta
url: /blog/2018/01/Extensible-Admission-Is-Beta
---
In this post we review a feature, available in the Kubernetes API server, that allows you to implement arbitrary control decisions and which has matured considerably in Kubernetes 1.9.  

The admission stage of API server processing is one of the most powerful tools for securing a Kubernetes cluster by restricting the objects that can be created, but it has always been limited to compiled code. In 1.9, we promoted webhooks for admission to beta, allowing you to leverage admission from outside the API server process.  



## What is Admission?
[Admission](/docs/reference/access-authn-authz/admission-controllers/#what-are-they) is the phase of [handling an API server request](https://blog.openshift.com/kubernetes-deep-dive-api-server-part-1/) that happens before a resource is persisted, but after authorization. Admission gets access to the same information as authorization (user, URL, etc) and the complete body of an API request (for most requests).  

[![](https://2.bp.blogspot.com/-p8WGg2BATsY/WlfywbD_tAI/AAAAAAAAAJw/mDqZV0dB4_Y0gXXQp_1tQ7CtMRSd6lHVwCK4BGAYYCw/s640/Screen%2BShot%2B2018-01-11%2Bat%2B3.22.07%2BPM.png)](https://2.bp.blogspot.com/-p8WGg2BATsY/WlfywbD_tAI/AAAAAAAAAJw/mDqZV0dB4_Y0gXXQp_1tQ7CtMRSd6lHVwCK4BGAYYCw/s1600/Screen%2BShot%2B2018-01-11%2Bat%2B3.22.07%2BPM.png)  

The admission phase is composed of individual plugins, each of which are narrowly focused and have semantic knowledge of what they are inspecting. Examples include: PodNodeSelector (influences scheduling decisions), PodSecurityPolicy (prevents escalating containers), and ResourceQuota (enforces resource allocation per namespace).  

Admission is split into two phases:  

1. Mutation, which allows modification of the body content itself as well as rejection of an API request.
2. Validation, which allows introspection queries and rejection of an API request.
An admission plugin can be in both phases, but all mutation happens before validation.



### Mutation
The mutation phase of admission allows modification of the resource content before it is persisted. Because the same field can be mutated multiple times while in the admission chain, the order of the admission plugins in the mutation matters.
Title: Extensible Admission in Kubernetes 1.9: Now in Beta
Summary
This blog post announces that extensible admission webhooks have reached beta status in Kubernetes 1.9. It explains that admission is a powerful tool for securing a Kubernetes cluster by restricting object creation. The admission phase happens before resource persistence but after authorization, using plugins for tasks like influencing scheduling, preventing container escalation, and enforcing resource allocation. Admission is split into mutation and validation phases, with mutation allowing modification of resource content before persistence.