#Kyverno

1 posts

K8s Advanced #3: Admission Controller — OPA Gatekeeper / Kyverno
10 min read

K8s Advanced #3: Admission Controller — OPA Gatekeeper / Kyverno

The K8s API server has a stage that can inspect and mutate manifests right before they're stored in etcd. This stage, called Admission Controller, is the entry point for the operational cluster's policy engine. Policies like "reject containers without limits," "force specific labels," "restrict image origins" are blocked at the manifest level without changing a line of code. This post organizes the position of the admission stage, built-in controllers, ValidatingWebhook and MutatingWebhook, and the models of two policy engines OPA Gatekeeper and Kyverno — all in one cycle.