External

• https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
• https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#admission

Internal

• Kubernetes Control Plane and Data Plane Concepts

Overview

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the metadata, but after the request is authenticated and authorized. There is a fixed set of admission controller that include AlwaysPullImages, PodSecurityPolicy, etc. The controllers are compiled into the kube-apiserver binary, and may only be configured by the cluster administrator.

Admission Controller Types

AlwaysPullImages

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages

PodSecurityPolicy

PodSecurityPolicy Admission Controller

DefaultStorageClass

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass

Persistent Volume Claims and Storage Class

Admission Controller Operations

Admission Controller Operations