admission webhook
also: webhook, validating webhook, mutating webhook, dynamic admission control
A Kubernetes mechanism that intercepts and validates or modifies API requests before they are persisted, allowing cluster administrators to enforce custom policies on resource creation and modification.
An admission webhook is an HTTP callback that Kubernetes invokes during the API server's request processing pipeline. When a user or controller submits a resource (like a Pod or Deployment), the API server sends that request to registered webhooks for inspection before the resource is stored in etcd.
Webhooks come in two types: validating webhooks reject requests that violate policies (e.g., blocking containers that don't use approved image registries), and mutating webhooks modify requests before admission (e.g., automatically injecting sidecar containers or adding labels).
Example: A mutating webhook could automatically inject a security sidecar into every Pod, while a validating webhook ensures all images come from your private registry. This enforcement happens at the API level, before the resource is created, making it a powerful policy enforcement tool.