DevOps Glossary

Kubernetes ValidatingAdmissionWebhook is an admission control mechanism that accepts or rejects Kubernetes API requests before the API server stores the object in etcd. It lets platform and security teams enforce cluster rules such as blocking privileged pods, requiring images from approved registries, validating required labels, or preventing unsafe changes in production namespaces. When a user, controller, or CI/CD pipeline sends a create, update, delete, or connect request, the API server sends an AdmissionReview request to the configured webhook service; the webhook returns an allowed or denied response, often with a clear reason. ValidatingAdmissionWebhook is commonly used for policy enforcement, security guardrails, compliance checks, and multi-tenant cluster controls. It differs from a MutatingAdmissionWebhook because it does not change the submitted object; it only validates the request and decides whether it can continue. The main benefit is centralized, automated control over what enters the cluster, but it also adds operational responsibility: a slow, unavailable, or poorly configured webhook can block deployments, so teams usually set sensible timeouts, failure policies, and monitoring.