About the Author

Lee Calcote

Lee Calcote is an innovative product and technology leader, passionate about empowering engineers and enabling organizations. As Founder of Layer5, he is at the forefront of the cloud native movement. Open source, advanced and emerging technologies have been a consistent focus through Calcote’s time at SolarWinds, Seagate, Cisco and Schneider Electric. An advisor, author, and speaker, Calcote is active in the community as a Docker Captain, Cloud Native Ambassador and GSoC, GSoD, and LFX Mentor.


Meshery is the world's only collaborative cloud manager.

Kubernetes is an open-source container orchestration system for automating the deployment, scaling, and management of containerized applications. As part of its functionality, Kubernetes offers a feature called "Admission Controllers" that allow administrators to enforce certain policies on resources being created in the cluster.

In this blog post, we will be discussing a new feature in Kubernetes called "Validating Admission Policies" which is currently in alpha stage. This feature allows administrators to define custom validation rules for resources being created in the cluster and enforce those rules using admission controllers.

What are Admission Controllers?

Admission controllers are pluggable components in the Kubernetes API server that intercept requests to create, update, or delete resources in the cluster. They allow administrators to enforce certain policies on these requests before they are persisted in the etcd database and acted upon by the Kubernetes control plane.

There are various types of admission controllers available in Kubernetes, such as:

  • NamespaceLifecycle: This admission controller enforces policies related to namespace creation and deletion.
  • LimitRanger: This admission controller enforces resource limits on pods, such as CPU and memory limits.
  • PodSecurityPolicy: This admission controller enforces security policies on pods, such as privileged mode, host networking, and volumes.

Validating Admission Policies

Validating admission policies allow administrators to define custom validation rules for resources being created in the cluster. These rules can be defined using a custom resource definition (CRD) called "ValidatingWebhookConfiguration" and are enforced by the ValidatingAdmissionWebhook admission controller.

For example, an administrator may want to enforce a policy that requires all pods in the cluster to have a specific label. They can define this rule using a ValidatingWebhookConfiguration CRD and configure the ValidatingAdmissionWebhook admission controller to enforce it. Any request to create a pod that does not have the required label will be rejected by the admission controller.

Validating admission policies also allow administrators to use external webhooks to perform the validation. This can be useful when the validation logic is complex or requires access to external resources.


Validating admission policies is a new feature in Kubernetes that allows administrators to define custom validation rules for resources being created in the cluster. These rules can be enforced using the ValidatingAdmissionWebhook admission controller, and external webhooks can also be used for complex validation logic. This feature can be useful for enforcing policies and ensuring compliance in a Kubernetes cluster.

Related Blogs

Layer5, the cloud native management company

An empowerer of engineers, Layer5 helps you extract more value from your infrastructure. Creator and maintainer of cloud native standards. Maker of Meshery, the cloud native manager.