• Dynamic Admission Control
    • What are admission webhooks?
    • Experimenting with admission webhooks
      • Prerequisites
      • Write an admission webhook server
      • Deploy the admission webhook service
      • Configure admission webhooks on the fly
      • Authenticate apiservers
    • Webhook request and response
      • Request
      • Response
    • Webhook configuration
      • Matching requests: rules
      • Matching requests: objectSelector
      • Matching requests: namespaceSelector
      • Matching requests: matchPolicy
      • Contacting the webhook
        • URL
        • Service reference
      • Side effects
      • Timeouts
      • Reinvocation policy
      • Failure policy
    • Monitoring admission webhooks
      • Mutating webhook auditing annotations
      • Admission webhook metrics
        • API server admission webhook rejection count
    • Best practices and warnings
      • Idempotence
        • Example of idempotent mutating admission webhooks:
        • Example of non-idempotent mutating admission webhooks:
      • Intercepting all versions of an object
      • Availability
      • Guaranteeing the final state of the object is seen
      • Avoiding deadlocks in self-hosted webhooks
      • Side effects
      • Avoiding operating on the kube-system namespace
    • Feedback

    Dynamic Admission Control

    In addition to compiled-in admission plugins,admission plugins can be developed as extensions and run as webhooks configured at runtime.This page describes how to build, configure, use, and monitor admission webhooks.

    What are admission webhooks?

    Admission webhooks are HTTP callbacks that receive admission requests and dosomething with them. You can define two types of admission webhooks,validating admission Webhookandmutating admission webhook.Mutating admission Webhooks are invoked first, and can modify objects sent to the API server to enforce custom defaults.After all object modifications are complete, and after the incoming object is validated by the API server,validating admission webhooks are invoked and can reject requests to enforce custom policies.

    Note: Admission webhooks that need to guarantee they see the final state of the object in order to enforce policyshould use a validating admission webhook, since objects can be modified after being seen by mutating webhooks.

    Experimenting with admission webhooks

    Admission webhooks are essentially part of the cluster control-plane. You shouldwrite and deploy them with great caution. Please read the userguides forinstructions if you intend to write/deploy production-grade admission webhooks.In the following, we describe how to quickly experiment with admission webhooks.

    Prerequisites

    • Ensure that the Kubernetes cluster is at least as new as v1.16 (to use admissionregistration.k8s.io/v1),or v1.9 (to use admissionregistration.k8s.io/v1beta1).

    • Ensure that MutatingAdmissionWebhook and ValidatingAdmissionWebhookadmission controllers are enabled.Hereis a recommended set of admission controllers to enable in general.

    • Ensure that the admissionregistration.k8s.io/v1 or admissionregistration.k8s.io/v1beta1 API is enabled.

    Write an admission webhook server

    Please refer to the implementation of the admission webhookserverthat is validated in a Kubernetes e2e test. The webhook handles theAdmissionReview request sent by the apiservers, and sends back its decisionas an AdmissionReview object in the same version it received.

    See the webhook request section for details on the data sent to webhooks.

    See the webhook response section for the data expected from webhooks.

    The example admission webhook server leaves the ClientAuth fieldempty,which defaults to NoClientCert. This means that the webhook server does notauthenticate the identity of the clients, supposedly apiservers. If you needmutual TLS or other ways to authenticate the clients, seehow to authenticate apiservers.

    Deploy the admission webhook service

    The webhook server in the e2e test is deployed in the Kubernetes cluster, viathe deployment API.The test also creates a serviceas the front-end of the webhook server. Seecode.

    You may also deploy your webhooks outside of the cluster. You will need to updateyour webhook configurations accordingly.

    Configure admission webhooks on the fly

    You can dynamically configure what resources are subject to what admissionwebhooks viaValidatingWebhookConfigurationorMutatingWebhookConfiguration.

    The following is an example ValidatingWebhookConfiguration, a mutating webhook configuration is similar.See the webhook configuration section for details about each config field.

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. metadata:
    4.   name: "pod-policy.example.com"
    5. webhooks:
    6. - name: "pod-policy.example.com"
    7.   rules:
    8.   - apiGroups:   [""]
    9.     apiVersions: ["v1"]
    10.     operations:  ["CREATE"]
    11.     resources:   ["pods"]
    12.     scope:       "Namespaced"
    13.   clientConfig:
    14.     service:
    15.       namespace: "example-namespace"
    16.       name: "example-service"
    17.     caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
    18.   admissionReviewVersions: ["v1", "v1beta1"]
    19.   sideEffects: None
    20.   timeoutSeconds: 5
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. metadata:
    5.   name: "pod-policy.example.com"
    6. webhooks:
    7. - name: "pod-policy.example.com"
    8.   rules:
    9.   - apiGroups:   [""]
    10.     apiVersions: ["v1"]
    11.     operations:  ["CREATE"]
    12.     resources:   ["pods"]
    13.     scope:       "Namespaced"
    14.   clientConfig:
    15.     service:
    16.       namespace: "example-namespace"
    17.       name: "example-service"
    18.     caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
    19.   admissionReviewVersions: ["v1beta1"]
    20.   timeoutSeconds: 5

    The scope field specifies if only cluster-scoped resources (“Cluster”) or namespace-scopedresources (“Namespaced”) will match this rule. “*” means that there are no scope restrictions.

    Note: When using clientConfig.service, the server cert must be valid for<svc_name>.<svc_namespace>.svc.
    Note: Default timeout for a webhook call is 10 seconds for webhooks registered created using admissionregistration.k8s.io/v1,and 30 seconds for webhooks created using admissionregistration.k8s.io/v1beta1. Starting in kubernetes 1.14 youcan set the timeout and it is encouraged to use a small timeout for webhooks.If the webhook call times out, the request is handled according to the webhook’sfailure policy.

    When an apiserver receives a request that matches one of the rules, theapiserver sends an admissionReview request to webhook as specified in theclientConfig.

    After you create the webhook configuration, the system will take a few secondsto honor the new configuration.

    Authenticate apiservers

    If your admission webhooks require authentication, you can configure theapiservers to use basic auth, bearer token, or a cert to authenticate itself tothe webhooks. There are three steps to complete the configuration.

    • When starting the apiserver, specify the location of the admission controlconfiguration file via the —admission-control-config-file flag.

    • In the admission control configuration file, specify where theMutatingAdmissionWebhook controller and ValidatingAdmissionWebhook controllershould read the credentials. The credentials are stored in kubeConfig files(yes, the same schema that’s used by kubectl), so the field name iskubeConfigFile. Here is an example admission control configuration file:

    1. apiVersion: apiserver.k8s.io/v1alpha1
    2. kind: AdmissionConfiguration
    3. plugins:
    4. - name: ValidatingAdmissionWebhook
    5.   configuration:
    6.     apiVersion: apiserver.config.k8s.io/v1alpha1
    7.     kind: WebhookAdmission
    8.     kubeConfigFile: "<path-to-kubeconfig-file>"
    9. - name: MutatingAdmissionWebhook
    10.   configuration:
    11.     apiVersion: apiserver.config.k8s.io/v1alpha1
    12.     kind: WebhookAdmission
    13.     kubeConfigFile: "<path-to-kubeconfig-file>"

    The schema of admissionConfiguration is definedhere.See the webhook configuration section for details about each config field.

    • In the kubeConfig file, provide the credentials:
    1. apiVersion: v1
    2. kind: Config
    3. users:
    4. # name should be set to the DNS name of the service or the host (including port) of the URL the webhook is configured to speak to.
    5. # If a non-443 port is used for services, it must be included in the name when configuring 1.16+ API servers.
    6. #
    7. # For a webhook configured to speak to a service on the default port (443), specify the DNS name of the service:
    8. # - name: webhook1.ns1.svc
    9. #   user: ...
    10. #
    11. # For a webhook configured to speak to a service on non-default port (e.g. 8443), specify the DNS name and port of the service in 1.16+:
    12. # - name: webhook1.ns1.svc:8443
    13. #   user: ...
    14. # and optionally create a second stanza using only the DNS name of the service for compatibility with 1.15 API servers:
    15. # - name: webhook1.ns1.svc
    16. #   user: ...
    17. #
    18. # For webhooks configured to speak to a URL, match the host (and port) specified in the webhook's URL. Examples:
    19. # A webhook with `url: https://www.example.com`:
    20. # - name: www.example.com
    21. #   user: ...
    22. #
    23. # A webhook with `url: https://www.example.com:443`:
    24. # - name: www.example.com:443
    25. #   user: ...
    26. #
    27. # A webhook with `url: https://www.example.com:8443`:
    28. # - name: www.example.com:8443
    29. #   user: ...
    30. #
    31. - name: 'webhook1.ns1.svc'
    32.   user:
    33.     client-certificate-data: "<pem encoded certificate>"
    34.     client-key-data: "<pem encoded key>"
    35. # The `name` supports using * to wildcard-match prefixing segments.
    36. - name: '*.webhook-company.org'
    37.   user:
    38.     password: "<password>"
    39.     username: "<name>"
    40. # '*' is the default match.
    41. - name: '*'
    42.   user:
    43.     token: "<token>"

    Of course you need to set up the webhook server to handle these authentications.

    Webhook request and response

    Request

    Webhooks are sent a POST request, with Content-Type: application/json,with an AdmissionReview API object in the admission.k8s.io API groupserialized to JSON as the body.

    Webhooks can specify what versions of AdmissionReview objects they acceptwith the admissionReviewVersions field in their configuration:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   admissionReviewVersions: ["v1", "v1beta1"]
    7.   ...

    admissionReviewVersions is a required field when creatingadmissionregistration.k8s.io/v1 webhook configurations.Webhooks are required to support at least one AdmissionReviewversion understood by the current and previous API server.

    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   admissionReviewVersions: ["v1beta1"]
    8.   ...

    If no admissionReviewVersions are specified, the default when creatingadmissionregistration.k8s.io/v1beta1 webhook configurations is v1beta1.

    API servers send the first AdmissionReview version in the admissionReviewVersions list they support.If none of the versions in the list are supported by the API server, the configuration will not be allowed to be created.If an API server encounters a webhook configuration that was previously created and does not support any of the AdmissionReviewversions the API server knows how to send, attempts to call to the webhook will fail and be subject to the failure policy.

    This example shows the data contained in an AdmissionReview objectfor a request to update the scale subresource of an apps/v1 Deployment:

    • admission.k8s.io/v1
    • admission.k8s.io/v1beta1
    1. {
    2.   "apiVersion": "admission.k8s.io/v1",
    3.   "kind": "AdmissionReview",
    4.   "request": {
    5.     # Random uid uniquely identifying this admission call
    6.     "uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
    8.     # Fully-qualified group/version/kind of the incoming object
    9.     "kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
    10.     # Fully-qualified group/version/kind of the resource being modified
    11.     "resource": {"group":"apps","version":"v1","resource":"deployments"},
    12.     # subresource, if the request is to a subresource
    13.     "subResource": "scale",
    15.     # Fully-qualified group/version/kind of the incoming object in the original request to the API server.
    16.     # This only differs from `kind` if the webhook specified `matchPolicy: Equivalent` and the
    17.     # original request to the API server was converted to a version the webhook registered for.
    18.     "requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
    19.     # Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
    20.     # This only differs from `resource` if the webhook specified `matchPolicy: Equivalent` and the
    21.     # original request to the API server was converted to a version the webhook registered for.
    22.     "requestResource": {"group":"apps","version":"v1","resource":"deployments"},
    23.     # subresource, if the request is to a subresource
    24.     # This only differs from `subResource` if the webhook specified `matchPolicy: Equivalent` and the
    25.     # original request to the API server was converted to a version the webhook registered for.
    26.     "requestSubResource": "scale",
    28.     # Name of the resource being modified
    29.     "name": "my-deployment",
    30.     # Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
    31.     "namespace": "my-namespace",
    33.     # operation can be CREATE, UPDATE, DELETE, or CONNECT
    34.     "operation": "UPDATE",
    36.     "userInfo": {
    37.       # Username of the authenticated user making the request to the API server
    38.       "username": "admin",
    39.       # UID of the authenticated user making the request to the API server
    40.       "uid": "014fbff9a07c",
    41.       # Group memberships of the authenticated user making the request to the API server
    42.       "groups": ["system:authenticated","my-admin-group"],
    43.       # Arbitrary extra info associated with the user making the request to the API server.
    44.       # This is populated by the API server authentication layer and should be included
    45.       # if any SubjectAccessReview checks are performed by the webhook.
    46.       "extra": {
    47.         "some-key":["some-value1", "some-value2"]
    48.       }
    49.     },
    51.     # object is the new object being admitted.
    52.     # It is null for DELETE operations.
    53.     "object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    54.     # oldObject is the existing object.
    55.     # It is null for CREATE and CONNECT operations.
    56.     "oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    57.     # options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
    58.     # It is null for CONNECT operations.
    59.     "options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
    61.     # dryRun indicates the API request is running in dry run mode and will not be persisted.
    62.     # Webhooks with side effects should avoid actuating those side effects when dryRun is true.
    63.     # See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
    64.     "dryRun": false
    65.   }
    66. }
    1. {
    2.   # Deprecated in v1.16 in favor of admission.k8s.io/v1
    3.   "apiVersion": "admission.k8s.io/v1beta1",
    4.   "kind": "AdmissionReview",
    5.   "request": {
    6.     # Random uid uniquely identifying this admission call
    7.     "uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
    9.     # Fully-qualified group/version/kind of the incoming object
    10.     "kind": {"group":"autoscaling","version":"v1","kind":"Scale"},
    11.     # Fully-qualified group/version/kind of the resource being modified
    12.     "resource": {"group":"apps","version":"v1","resource":"deployments"},
    13.     # subresource, if the request is to a subresource
    14.     "subResource": "scale",
    16.     # Fully-qualified group/version/kind of the incoming object in the original request to the API server.
    17.     # This only differs from `kind` if the webhook specified `matchPolicy: Equivalent` and the
    18.     # original request to the API server was converted to a version the webhook registered for.
    19.     # Only sent by v1.15+ API servers.
    20.     "requestKind": {"group":"autoscaling","version":"v1","kind":"Scale"},
    21.     # Fully-qualified group/version/kind of the resource being modified in the original request to the API server.
    22.     # This only differs from `resource` if the webhook specified `matchPolicy: Equivalent` and the
    23.     # original request to the API server was converted to a version the webhook registered for.
    24.     # Only sent by v1.15+ API servers.
    25.     "requestResource": {"group":"apps","version":"v1","resource":"deployments"},
    26.     # subresource, if the request is to a subresource
    27.     # This only differs from `subResource` if the webhook specified `matchPolicy: Equivalent` and the
    28.     # original request to the API server was converted to a version the webhook registered for.
    29.     # Only sent by v1.15+ API servers.
    30.     "requestSubResource": "scale",
    32.     # Name of the resource being modified
    33.     "name": "my-deployment",
    34.     # Namespace of the resource being modified, if the resource is namespaced (or is a Namespace object)
    35.     "namespace": "my-namespace",
    37.     # operation can be CREATE, UPDATE, DELETE, or CONNECT
    38.     "operation": "UPDATE",
    40.     "userInfo": {
    41.       # Username of the authenticated user making the request to the API server
    42.       "username": "admin",
    43.       # UID of the authenticated user making the request to the API server
    44.       "uid": "014fbff9a07c",
    45.       # Group memberships of the authenticated user making the request to the API server
    46.       "groups": ["system:authenticated","my-admin-group"],
    47.       # Arbitrary extra info associated with the user making the request to the API server.
    48.       # This is populated by the API server authentication layer and should be included
    49.       # if any SubjectAccessReview checks are performed by the webhook.
    50.       "extra": {
    51.         "some-key":["some-value1", "some-value2"]
    52.       }
    53.     },
    55.     # object is the new object being admitted.
    56.     # It is null for DELETE operations.
    57.     "object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    58.     # oldObject is the existing object.
    59.     # It is null for CREATE and CONNECT operations (and for DELETE operations in API servers prior to v1.15.0)
    60.     "oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    61.     # options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
    62.     # It is null for CONNECT operations.
    63.     # Only sent by v1.15+ API servers.
    64.     "options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},
    66.     # dryRun indicates the API request is running in dry run mode and will not be persisted.
    67.     # Webhooks with side effects should avoid actuating those side effects when dryRun is true.
    68.     # See http://k8s.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request for more details.
    69.     "dryRun": false
    70.   }
    71. }

    Response

    Webhooks respond with a 200 HTTP status code, Content-Type: application/json,and a body containing an AdmissionReview object (in the same version they were sent),with the response stanza populated, serialized to JSON.

    At a minimum, the response stanza must contain the following fields:

    • uid, copied from the request.uid sent to the webhook
    • allowed, either set to true or false

    Example of a minimal response from a webhook to allow a request:

    • admission.k8s.io/v1
    • admission.k8s.io/v1beta1
    1. {
    2.   "apiVersion": "admission.k8s.io/v1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": true
    7.   }
    8. }
    1. {
    2.   "apiVersion": "admission.k8s.io/v1beta1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": true
    7.   }
    8. }

    Example of a minimal response from a webhook to forbid a request:

    • admission.k8s.io/v1
    • admission.k8s.io/v1beta1
    1. {
    2.   "apiVersion": "admission.k8s.io/v1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": false
    7.   }
    8. }
    1. {
    2.   "apiVersion": "admission.k8s.io/v1beta1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": false
    7.   }
    8. }

    When rejecting a request, the webhook can customize the http code and message returned to the user using the status field.The specified status object is returned to the user.See the API documentation for details about the status type.Example of a response to forbid a request, customizing the HTTP status code and message presented to the user:

    • admission.k8s.io/v1
    • admission.k8s.io/v1beta1
    1. {
    2.   "apiVersion": "admission.k8s.io/v1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": false,
    7.     "status": {
    8.       "code": 403,
    9.       "message": "You cannot do this because it is Tuesday and your name starts with A"
    10.     }
    11.   }
    12. }
    1. {
    2.   "apiVersion": "admission.k8s.io/v1beta1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": false,
    7.     "status": {
    8.       "code": 403,
    9.       "message": "You cannot do this because it is Tuesday and your name starts with A"
    10.     }
    11.   }
    12. }

    When allowing a request, a mutating admission webhook may optionally modify the incoming object as well.This is done using the patch and patchType fields in the response.The only currently supported patchType is JSONPatch.See JSON patch documentation for more details.For patchType: JSONPatch, the patch field contains a base64-encoded array of JSON patch operations.

    As an example, a single patch operation that would set spec.replicas would be [{"op": "add", "path": "/spec/replicas", "value": 3}]

    Base64-encoded, this would be W3sib3AiOiAiYWRkIiwgInBhdGgiOiAiL3NwZWMvcmVwbGljYXMiLCAidmFsdWUiOiAzfV0=

    So a webhook response to add that label would be:

    • admission.k8s.io/v1
    • admission.k8s.io/v1beta1
    1. {
    2.   "apiVersion": "admission.k8s.io/v1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": true,
    7.     "patchType": "JSONPatch",
    8.     "patch": "W3sib3AiOiAiYWRkIiwgInBhdGgiOiAiL3NwZWMvcmVwbGljYXMiLCAidmFsdWUiOiAzfV0="
    9.   }
    10. }
    1. {
    2.   "apiVersion": "admission.k8s.io/v1beta1",
    3.   "kind": "AdmissionReview",
    4.   "response": {
    5.     "uid": "<value from request.uid>",
    6.     "allowed": true,
    7.     "patchType": "JSONPatch",
    8.     "patch": "W3sib3AiOiAiYWRkIiwgInBhdGgiOiAiL3NwZWMvcmVwbGljYXMiLCAidmFsdWUiOiAzfV0="
    9.   }
    10. }

    Webhook configuration

    To register admission webhooks, create MutatingWebhookConfiguration or ValidatingWebhookConfiguration API objects.

    Each configuration can contain one or more webhooks.If multiple webhooks are specified in a single configuration, each should be given a unique name.This is required in admissionregistration.k8s.io/v1, but strongly recommended when using admissionregistration.k8s.io/v1beta1,in order to make resulting audit logs and metrics easier to match up to active configurations.

    Each webhook defines the following things.

    Matching requests: rules

    Each webhook must specify a list of rules used to determine if a request to the API server should be sent to the webhook.Each rule specifies one or more operations, apiGroups, apiVersions, and resources, and a resource scope:

    • operations lists one or more operations to match. Can be "CREATE", "UPDATE", "DELETE", "CONNECT", or "*" to match all.
    • apiGroups lists one or more API groups to match. "" is the core API group. "*" matches all API groups.
    • apiVersions lists one or more API versions to match. "*" matches all API versions.
    • resources lists one or more resources to match.
      • "*" matches all resources, but not subresources.
      • "/" matches all resources and subresources.
      • "pods/*" matches all subresources of pods.
      • "*/status" matches all status subresources.
    • scope specifies a scope to match. Valid values are "Cluster", "Namespaced", and "". Subresources match the scope of their parent resource. Supported in v1.14+. Default is "", matching pre-1.14 behavior.
      • "Cluster" means that only cluster-scoped resources will match this rule (Namespace API objects are cluster-scoped).
      • "Namespaced" means that only namespaced resources will match this rule.
      • "*" means that there are no scope restrictions.

    If an incoming request matches one of the specified operations, groups, versions, resources, and scope for any of a webhook’s rules, the request is sent to the webhook.

    Here are other examples of rules that could be used to specify which resources should be intercepted.

    Match CREATE or UPDATE requests to apps/v1 and apps/v1beta1 deployments and replicasets:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   rules:
    7.   - operations: ["CREATE", "UPDATE"]
    8.     apiGroups: ["apps"]
    9.     apiVersions: ["v1", "v1beta1"]
    10.     resources: ["deployments", "replicasets"]
    11.     scope: "Namespaced"
    12.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   rules:
    8.   - operations: ["CREATE", "UPDATE"]
    9.     apiGroups: ["apps"]
    10.     apiVersions: ["v1", "v1beta1"]
    11.     resources: ["deployments", "replicasets"]
    12.     scope: "Namespaced"
    13.   ...

    Match create requests for all resources (but not subresources) in all API groups and versions:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   rules:
    7.   - operations: ["CREATE"]
    8.     apiGroups: ["*"]
    9.     apiVersions: ["*"]
    10.     resources: ["*"]
    11.     scope: "*"
    12.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   rules:
    8.   - operations: ["CREATE"]
    9.     apiGroups: ["*"]
    10.     apiVersions: ["*"]
    11.     resources: ["*"]
    12.     scope: "*"
    13.   ...

    Match update requests for all status subresources in all API groups and versions:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   rules:
    7.   - operations: ["UPDATE"]
    8.     apiGroups: ["*"]
    9.     apiVersions: ["*"]
    10.     resources: ["*/status"]
    11.     scope: "*"
    12.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   rules:
    8.   - operations: ["UPDATE"]
    9.     apiGroups: ["*"]
    10.     apiVersions: ["*"]
    11.     resources: ["*/status"]
    12.     scope: "*"
    13.   ...

    Matching requests: objectSelector

    In v1.15+, webhooks may optionally limit which requests are intercepted based on the labels of theobjects they would be sent, by specifying an objectSelector. If specified, the objectSelectoris evaluated against both the object and oldObject that would be sent to the webhook,and is considered to match if either object matches the selector.

    A null object (oldObject in the case of create, or newObject in the case of delete),or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object)is not considered to match.

    Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels.

    This example shows a mutating webhook that would match a CREATE of any resource with the label foo: bar:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   objectSelector:
    7.     matchLabels:
    8.       foo: bar
    9.   rules:
    10.   - operations: ["CREATE"]
    11.     apiGroups: ["*"]
    12.     apiVersions: ["*"]
    13.     resources: ["*"]
    14.     scope: "*"
    15.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   objectSelector:
    8.     matchLabels:
    9.       foo: bar
    10.   rules:
    11.   - operations: ["CREATE"]
    12.     apiGroups: ["*"]
    13.     apiVersions: ["*"]
    14.     resources: ["*"]
    15.     scope: "*"
    16.   ...

    See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.

    Matching requests: namespaceSelector

    Webhooks may optionally limit which requests for namespaced resources are intercepted,based on the labels of the containing namespace, by specifying a namespaceSelector.

    The namespaceSelector decides whether to run the webhook on a request for a namespaced resource(or a Namespace object), based on whether the namespace’s labels match the selector.If the object itself is a namespace, the matching is performed on object.metadata.labels.If the object is a cluster scoped resource other than a Namespace, namespaceSelector has no effect.

    This example shows a mutating webhook that matches a CREATE of any namespaced resource inside a namespacethat does not have a “runlevel” label of “0” or “1”:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   namespaceSelector:
    7.     matchExpressions:
    8.     - key: runlevel
    9.       operator: NotIn
    10.       values: ["0","1"]
    11.   rules:
    12.   - operations: ["CREATE"]
    13.     apiGroups: ["*"]
    14.     apiVersions: ["*"]
    15.     resources: ["*"]
    16.     scope: "Namespaced"
    17.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   namespaceSelector:
    8.     matchExpressions:
    9.     - key: runlevel
    10.       operator: NotIn
    11.       values: ["0","1"]
    12.   rules:
    13.   - operations: ["CREATE"]
    14.     apiGroups: ["*"]
    15.     apiVersions: ["*"]
    16.     resources: ["*"]
    17.     scope: "Namespaced"
    18.   ...

    This example shows a validating webhook that matches a CREATE of any namespaced resource inside a namespacethat is associated with the “environment” of “prod” or “staging”:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   namespaceSelector:
    7.     matchExpressions:
    8.     - key: environment
    9.       operator: In
    10.       values: ["prod","staging"]
    11.   rules:
    12.   - operations: ["CREATE"]
    13.     apiGroups: ["*"]
    14.     apiVersions: ["*"]
    15.     resources: ["*"]
    16.     scope: "Namespaced"
    17.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   namespaceSelector:
    8.     matchExpressions:
    9.     - key: environment
    10.       operator: In
    11.       values: ["prod","staging"]
    12.   rules:
    13.   - operations: ["CREATE"]
    14.     apiGroups: ["*"]
    15.     apiVersions: ["*"]
    16.     resources: ["*"]
    17.     scope: "Namespaced"
    18.   ...

    See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.

    Matching requests: matchPolicy

    API servers can make objects available via multiple API groups or versions.For example, the Kubernetes API server allows creating and modifying Deployment objectsvia extensions/v1beta1, apps/v1beta1, apps/v1beta2, and apps/v1 APIs.

    For example, if a webhook only specified a rule for some API groups/versions (like apiGroups:["apps"], apiVersions:["v1","v1beta1"]),and a request was made to modify the resource via another API group/version (like extensions/v1beta1),the request would not be sent to the webhook.

    In v1.15+, matchPolicy lets a webhook define how its rules are used to match incoming requests.Allowed values are Exact or Equivalent.

    • Exact means a request should be intercepted only if it exactly matches a specified rule.
    • Equivalent means a request should be intercepted if modifies a resource listed in rules, even via another API group or version.

    In the example given above, the webhook that only registered for apps/v1 could use matchPolicy: matchPolicy: Exact would mean the extensions/v1beta1 request would not be sent to the webhook matchPolicy: Equivalent means the extensions/v1beta1 request would be sent to the webhook (with the objects converted to a version the webhook had specified: apps/v1)

    Specifying Equivalent is recommended, and ensures that webhooks continue to intercept theresources they expect when upgrades enable new versions of the resource in the API server.

    When a resource stops being served by the API server, it is no longer considered equivalent to other versions of that resource that are still served.For example, deprecated extensions/v1beta1 deployments are scheduled to stop being served by default in v1.16.Once that occurs, a webhook with a apiGroups:["extensions"], apiVersions:["v1beta1"], resources:["deployments"] rulewould no longer intercept deployments created via apps/v1 APIs. For that reason, webhooks should prefer registeringfor stable versions of resources.

    This example shows a validating webhook that intercepts modifications to deployments (no matter the API group or version),and is always sent an apps/v1 Deployment object:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   matchPolicy: Equivalent
    7.   rules:
    8.   - operations: ["CREATE","UPDATE","DELETE"]
    9.     apiGroups: ["apps"]
    10.     apiVersions: ["v1"]
    11.     resources: ["deployments"]
    12.     scope: "Namespaced"
    13.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1 default to Equivalent.

    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   matchPolicy: Equivalent
    8.   rules:
    9.   - operations: ["CREATE","UPDATE","DELETE"]
    10.     apiGroups: ["apps"]
    11.     apiVersions: ["v1"]
    12.     resources: ["deployments"]
    13.     scope: "Namespaced"
    14.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1beta1 default to Exact.

    Contacting the webhook

    Once the API server has determined a request should be sent to a webhook,it needs to know how to contact the webhook. This is specified in the clientConfigstanza of the webhook configuration.

    Webhooks can either be called via a URL or a service reference,and can optionally include a custom CA bundle to use to verify the TLS connection.

    URL

    url gives the location of the webhook, in standard URL form(scheme://host:port/path).

    The host should not refer to a service running in the cluster; usea service reference by specifying the service field instead.The host might be resolved via external DNS in some apiservers(e.g., kube-apiserver cannot resolve in-cluster DNS as that wouldbe a layering violation). host may also be an IP address.

    Please note that using localhost or 127.0.0.1 as a host isrisky unless you take great care to run this webhook on all hostswhich run an apiserver which might need to make calls to thiswebhook. Such installs are likely to be non-portable, i.e., not easyto turn up in a new cluster.

    The scheme must be “https”; the URL must begin with “https://“.

    Attempting to use a user or basic auth e.g. “user:password@” is not allowed.Fragments (“#…”) and query parameters (“?…”) are also not allowed.

    Here is an example of a mutating webhook configured to call a URL(and expects the TLS certificate to be verified using system trust roots, so does not specify a caBundle):

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   clientConfig:
    7.     url: "https://my-webhook.example.com:9443/my-webhook-path"
    8.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   clientConfig:
    8.     url: "https://my-webhook.example.com:9443/my-webhook-path"
    9.   ...

    Service reference

    The service stanza inside clientConfig is a reference to the service for this webhook.If the webhook is running within the cluster, then you should use service instead of url.The service namespace and name are required. The port is optional and defaults to 443.The path is optional and defaults to “/”.

    Here is an example of a mutating webhook configured to call a service on port “1234”at the subpath “/my-path”, and to verify the TLS connection against the ServerNamemy-service-name.my-service-namespace.svc using a custom CA bundle:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   clientConfig:
    7.     caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
    8.     service:
    9.       namespace: my-service-namespace
    10.       name: my-service-name
    11.       path: /my-path
    12.       port: 1234
    13.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   clientConfig:
    8.     caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle containing the CA that signed the webhook's serving certificate>...tLS0K"
    9.     service:
    10.       namespace: my-service-namespace
    11.       name: my-service-name
    12.       path: /my-path
    13.       port: 1234
    14.   ...

    Side effects

    Webhooks typically operate only on the content of the AdmissionReview sent to them.Some webhooks, however, make out-of-band changes as part of processing admission requests.

    Webhooks that make out-of-band changes (“side effects”) must also have a reconcilation mechanism(like a controller) that periodically determines the actual state of the world, and adjuststhe out-of-band data modified by the admission webhook to reflect reality.This is because a call to an admission webhook does not guarantee the admitted object will be persisted as is, or at all.Later webhooks can modify the content of the object, a conflict could be encountered while writing to storage,or the server could power off before persisting the object.

    Additionally, webhooks with side effects must skip those side-effects when dryRun: true admission requests are handled.A webhook must explicitly indicate that it will not have side-effects when run with dryRun,or the dry-run request will not be sent to the webhook and the API request will fail instead.

    Webhooks indicate whether they have side effects using the sideEffects field in the webhook configuration:

    • Unknown: no information is known about the side effects of calling the webhook.If a request with dryRun: true would trigger a call to this webhook, the request will instead fail, and the webhook will not be called.
    • None: calling the webhook will have no side effects.
    • Some: calling the webhook will possibly have side effects.If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail, and the webhook will not be called.
    • NoneOnDryRun: calling the webhook will possibly have side effects,but if a request with dryRun: true is sent to the webhook, the webhook will suppress the side effects (the webhook is dryRun-aware).

    Allowed values:

    • In admissionregistration.k8s.io/v1beta1, sideEffects may be set to Unknown, None, Some, or NoneOnDryRun, and defaults to Unknown.
    • In admissionregistration.k8s.io/v1, sideEffects must be set to None or NoneOnDryRun.

    Here is an example of a validating webhook indicating it has no side effects on dryRun: true requests:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   sideEffects: NoneOnDryRun
    7.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   sideEffects: NoneOnDryRun
    8.   ...

    Timeouts

    Because webhooks add to API request latency, they should evaluate as quickly as possible.timeoutSeconds allows configuring how long the API server should wait for a webhook to respondbefore treating the call as a failure.

    If the timeout expires before the webhook responds, the webhook call will be ignored orthe API call will be rejected based on the failure policy.

    The timeout value must be between 1 and 30 seconds.

    Here is an example of a validating webhook with a custom timeout of 2 seconds:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: ValidatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   timeoutSeconds: 2
    7.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 10 seconds.

    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: ValidatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   timeoutSeconds: 2
    8.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1 default timeouts to 30 seconds.

    Reinvocation policy

    A single ordering of mutating admissions plugins (including webhooks) does not work for all cases(see https://issue.k8s.io/64333 as an example). A mutating webhook can add a new sub-structureto the object (like adding a container to a pod), and other mutating plugins which have alreadyrun may have opinions on those new structures (like setting an imagePullPolicy on all containers).

    In v1.15+, to allow mutating admission plugins to observe changes made by other plugins,built-in mutating admission plugins are re-run if a mutating webhook modifies an object,and mutating webhooks can specify a reinvocationPolicy to control whether they are reinvoked as well.

    reinvocationPolicy may be set to Never or IfNeeded. It defaults to Never.

    • Never: the webhook must not be called more than once in a single admission evaluation
    • IfNeeded: the webhook may be called again as part of the admission evaluation if the objectbeing admitted is modified by other admission plugins after the initial webhook call.

    The important elements to note are:

    • The number of additional invocations is not guaranteed to be exactly one.
    • If additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
    • Webhooks that use this option may be reordered to minimize the number of additional invocations.
    • To validate an object after all mutations are guaranteed complete, use a validating admission webhook instead (recommended for webhooks with side-effects).

    Here is an example of a mutating webhook opting into being re-invoked if later admission plugins modify the object:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   reinvocationPolicy: IfNeeded
    7.   ...
    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   reinvocationPolicy: IfNeeded
    8.   ...

    Mutating webhooks must be idempotent, able to successfully process an object they have already admittedand potentially modified. This is true for all mutating admission webhooks, since any change they can makein an object could already exist in the user-provided object, but it is essential for webhooks that opt into reinvocation.

    Failure policy

    failurePolicy defines how unrecognized errors and timeout errors from the admission webhookare handled. Allowed values are Ignore or Fail.

    • Ignore means that an error calling the webhook is ignored and the API request is allowed to continue.
    • Fail means that an error calling the webhook causes the admission to fail and the API request to be rejected.

    Here is a mutating webhook configured to reject an API request if errors are encountered calling the admission webhook:

    • admissionregistration.k8s.io/v1
    • admissionregistration.k8s.io/v1beta1
    1. apiVersion: admissionregistration.k8s.io/v1
    2. kind: MutatingWebhookConfiguration
    3. ...
    4. webhooks:
    5. - name: my-webhook.example.com
    6.   failurePolicy: Fail
    7.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1 default failurePolicy to Fail.

    1. # Deprecated in v1.16 in favor of admissionregistration.k8s.io/v1
    2. apiVersion: admissionregistration.k8s.io/v1beta1
    3. kind: MutatingWebhookConfiguration
    4. ...
    5. webhooks:
    6. - name: my-webhook.example.com
    7.   failurePolicy: Fail
    8.   ...

    Admission webhooks created using admissionregistration.k8s.io/v1beta1 default failurePolicy to Ignore.

    Monitoring admission webhooks

    The API server provides ways to monitor admission webhook behaviors. Thesemonitoring mechanisms help cluster admins to answer questions like:

    • Which mutating webhook mutated the object in a API request?

    • What change did the mutating webhook applied to the object?

    • Which webhooks are frequently rejecting API requests? What’s the reason for arejection?

    Mutating webhook auditing annotations

    Sometimes it’s useful to know which mutating webhook mutated the object in a API request, and what change did thewebhook apply.

    In v1.16+, kube-apiserver performs auditing on each mutating webhookinvocation. Each invocation generates an auditing annotationcapturing if a request object is mutated by the invocation, and optionally generates an annotation capturing the appliedpatch from the webhook admission response. The annotations are set in the audit event for given request on given stage ofits execution, which is then pre-processed according to a certain policy and written to a backend.

    The audit level of a event determines which annotations get recorded:

    • At Metadata audit level or higher, an annotation with keymutation.webhook.admission.k8s.io/round{round idx}_index{order idx} gets logged with JSON payload indicatinga webhook gets invoked for given request and whether it mutated the object or not.

    For example, the following annotation gets recorded for a webhook being reinvoked. The webhook is ordered the third in themutating webhook chain, and didn’t mutated the request object during the invocation.

    1. # the audit event recorded
    2. {
    3.     "kind": "Event",
    4.     "apiVersion": "audit.k8s.io/v1",
    5.     "annotations": {
    6.         "mutation.webhook.admission.k8s.io/round_1_index_2": "{\"configuration\":\"my-mutating-webhook-configuration.example.com\",\"webhook\":\"my-webhook.example.com\",\"mutated\": false}"
    7.         # other annotations
    8.         ...
    9.     }
    10.     # other fields
    11.     ...
    12. }
    1. # the annotation value deserialized
    2. {
    3.     "configuration": "my-mutating-webhook-configuration.example.com",
    4.     "webhook": "my-webhook.example.com",
    5.     "mutated": false
    6. }

    The following annotation gets recorded for a webhook being invoked in the first round. The webhook is ordered the first inthe mutating webhook chain, and mutated the request object during the invocation.

    1. # the audit event recorded
    2. {
    3.     "kind": "Event",
    4.     "apiVersion": "audit.k8s.io/v1",
    5.     "annotations": {
    6.         "mutation.webhook.admission.k8s.io/round_0_index_0": "{\"configuration\":\"my-mutating-webhook-configuration.example.com\",\"webhook\":\"my-webhook-always-mutate.example.com\",\"mutated\": true}"
    7.         # other annotations
    8.         ...
    9.     }
    10.     # other fields
    11.     ...
    12. }
    1. # the annotation value deserialized
    2. {
    3.     "configuration": "my-mutating-webhook-configuration.example.com",
    4.     "webhook": "my-webhook-always-mutate.example.com",
    5.     "mutated": true
    6. }
    • At Request audit level or higher, an annotation with keypatch.webhook.admission.k8s.io/round{round idx}_index{order idx} gets logged with JSON payload indicatinga webhook gets invoked for given request and what patch gets applied to the request object.

    For example, the following annotation gets recorded for a webhook being reinvoked. The webhook is ordered the fourth in themutating webhook chain, and responded with a JSON patch which got applied to the request object.

    1. # the audit event recorded
    2. {
    3.     "kind": "Event",
    4.     "apiVersion": "audit.k8s.io/v1",
    5.     "annotations": {
    6.         "patch.webhook.admission.k8s.io/round_1_index_3": "{\"configuration\":\"my-other-mutating-webhook-configuration.example.com\",\"webhook\":\"my-webhook-always-mutate.example.com\",\"patch\":[{\"op\":\"add\",\"path\":\"/data/mutation-stage\",\"value\":\"yes\"}],\"patchType\":\"JSONPatch\"}"
    7.         # other annotations
    8.         ...
    9.     }
    10.     # other fields
    11.     ...
    12. }
    1. # the annotation value deserialized
    2. {
    3.     "configuration": "my-other-mutating-webhook-configuration.example.com",
    4.     "webhook": "my-webhook-always-mutate.example.com",
    5.     "patchType": "JSONPatch",
    6.     "patch": [
    7.         {
    8.             "op": "add",
    9.             "path": "/data/mutation-stage",
    10.             "value": "yes"
    11.         }
    12.     ]
    13. }

    Admission webhook metrics

    Kube-apiserver exposes Prometheus metrics from the /metrics endpoint, which can be used for monitoring anddiagnosing API server status. The following metrics record status related to admission webhooks.

    API server admission webhook rejection count

    Sometimes it’s useful to know which admission webhooks are frequently rejecting API requests, and thereason for a rejection.

    In v1.16+, kube-apiserver exposes a Prometheus counter metric recording admission webhook rejections. Themetrics are labelled to identify the causes of webhook rejection(s):

    • name: the name of the webhook that rejected a request.
    • operation: the operation type of the request, can be one of CREATE,UPDATE, DELETE and CONNECT.
    • type: the admission webhook type, can be one of admit and validating.
    • error_type: identifies if an error occurred during the webhook invocationthat caused the rejection. Its value can be one of:
      • calling_webhook_error: unrecognized errors or timeout errors from the admission webhook happened and thewebhook’s Failure policy is set to Fail.
      • no_error: no error occurred. The webhook rejected the request with allowed: false in the admissionresponse. The metrics label rejection_code records the .status.code set in the admission response.
      • apiserver_internal_error: an API server internal error happened.
    • rejection_code: the HTTP status code set in the admission response when awebhook rejected a request.

    Example of the rejection count metrics:

    1. # HELP apiserver_admission_webhook_rejection_count [ALPHA] Admission webhook rejection count, identified by name and broken out for each admission type (validating or admit) and operation. Additional labels specify an error type (calling_webhook_error or apiserver_internal_error if an error occurred; no_error otherwise) and optionally a non-zero rejection code if the webhook rejects the request with an HTTP status code (honored by the apiserver when the code is greater or equal to 400). Codes greater than 600 are truncated to 600, to keep the metrics cardinality bounded.
    2. # TYPE apiserver_admission_webhook_rejection_count counter
    3. apiserver_admission_webhook_rejection_count{error_type="calling_webhook_error",name="always-timeout-webhook.example.com",operation="CREATE",rejection_code="0",type="validating"} 1
    4. apiserver_admission_webhook_rejection_count{error_type="calling_webhook_error",name="invalid-admission-response-webhook.example.com",operation="CREATE",rejection_code="0",type="validating"} 1
    5. apiserver_admission_webhook_rejection_count{error_type="no_error",name="deny-unwanted-configmap-data.example.com",operation="CREATE",rejection_code="400",type="validating"} 13

    Best practices and warnings

    Idempotence

    An idempotent mutating admission webhook is able to successfully process an object it has already admittedand potentially modified. The admission can be applied multiple times without changing the result beyondthe initial application.

    Example of idempotent mutating admission webhooks:

    • For a CREATE pod request, set the field .spec.securityContext.runAsNonRoot of thepod to true, to enforce security best practices.

    • For a CREATE pod request, if the field .spec.containers[].resources.limitsof a container is not set, set default resource limits.

    • For a CREATE pod request, inject a sidecar container with name foo-sidecar if no container with the name foo-sidecar already exists.

    In the cases above, the webhook can be safely reinvoked, or admit an object that already has the fields set.

    Example of non-idempotent mutating admission webhooks:

    • For a CREATE pod request, inject a sidecar container with name foo-sidecarsuffixed with the current timestamp (e.g. foo-sidecar-19700101-000000).

    • For a CREATE/UPDATE pod request, reject if the pod has label "env" set,otherwise add an "env": "prod" label to the pod.

    • For a CREATE pod request, blindly append a sidecar container namedfoo-sidecar without looking to see if there is already a foo-sidecarcontainer in the pod.

    In the first case above, reinvoking the webhook can result in the same sidecar being injected multiple times to a pod, each timewith a different container name. Similarly the webhook can inject duplicated containers if the sidecar already exists ina user-provided pod.

    In the second case above, reinvoking the webhook will result in the webhook failing on its own output.

    In the third case above, reinvoking the webhook will result in duplicated containers in the pod spec, which makesthe request invalid and rejected by the API server.

    Intercepting all versions of an object

    It is recommended that admission webhooks should always intercept all versions of an object by setting .webhooks[].matchPolicyto Equivalent. It is also recommended that admission webhooks should prefer registering for stable versions of resources.Failure to intercept all versions of an object can result in admission policies not being enforced for requests in certainversions. See Matching requests: matchPolicy for examples.

    Availability

    It is recommended that admission webhooks should evaluate as quickly as possible (typically in milliseconds), since they add to API request latency.It is encouraged to use a small timeout for webhooks. See Timeouts for more detail.

    It is recommended that admission webhooks should leverage some format of load-balancing, to provide high availability andperformance benefits. If a webhook is running within the cluster, you can run multiple webhook backends behind a serviceto leverage the load-balancing that service supports.

    Guaranteeing the final state of the object is seen

    Admission webhooks that need to guarantee they see the final state of the object in order to enforce policyshould use a validating admission webhook, since objects can be modified after being seen by mutating webhooks.

    For example, a mutating admission webhook is configured to inject a sidecar container with name “foo-sidecar” on everyCREATE pod request. If the sidecar must be present, a validating admisson webhook should also be configured to intercept CREATE pod requests, and validatethat a container with name “foo-sidecar” with the expected configuration exists in the to-be-created object.

    Avoiding deadlocks in self-hosted webhooks

    A webhook running inside the cluster might cause deadlocks for its own deployment if it is configuredto intercept resources required to start its own pods.

    For example, a mutating admission webhook is configured to admit CREATE pod requests only if a certain label is set in thepod (e.g. "env": "prod"). The webhook server runs in a deployment which doesn’t set the "env" label.When a node that runs the webhook server podsbecomes unhealthy, the webhook deployment will try to reschedule the pods to another node. However the requests willget rejected by the existing webhook server since the "env" label is unset, and the migration cannot happen.

    It is recommended to exclude the namespace where your webhook is running with a namespaceSelector.

    Side effects

    It is recommended that admission webhooks should avoid side effects if possible, which means the webhooks operate only on thecontent of the AdmissionReview sent to them, and do not make out-of-band changes. The .webhooks[].sideEffects field shouldbe set to None if a webhook doesn’t have any side effect.

    If side effects are required during the admission evaluation, they must be suppressed when processing anAdmissionReview object with dryRun set to true, and the .webhooks[].sideEffects field should beset to NoneOnDryRun. See Side effects for more detail.

    Avoiding operating on the kube-system namespace

    The kube-system namespace contains objects created by the Kubernetes system,e.g. service accounts for the control plane components, pods like kube-dns.Accidentally mutating or rejecting requests in the kube-system namespace maycause the control plane components to stop functioning or introduce unknown behavior.If your admission webhooks don’t intend to modify the behavior of the Kubernetes controlplane, exclude the kube-system namespace from being intercepted using anamespaceSelector.

    Feedback

    Was this page helpful?

    Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it onStack Overflow.Open an issue in the GitHub repo if you want toreport a problemorsuggest an improvement.