What are Kubernetes admission controllers?

Admission controllers are plugins that intercept requests to the Kubernetes API server after authentication/authorization but before persisting to etcd. They can validate, mutate, or reject requests. Two types: (1) Validating Admission Webhooks: validate requests and allow/deny. Cannot modify the request; (2) Mutating Admission Webhooks: modify (mutate) requests before validation and persistence. Run before validating webhooks. Common built-in admission controllers: NamespaceLifecycle (prevents operations on terminating namespaces); LimitRanger (applies LimitRange defaults); ResourceQuota (enforces quota); PodSecurity (enforces Pod Security Standards); ServiceAccount (automatically adds service account); NodeRestriction (limits kubelet permissions). OPA Gatekeeper: policy-as-code admission controller using Open Policy Agent (Rego language). Define ConstraintTemplates + Constraints: apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: require-owner-label spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: labels: ["owner"]. Kyverno: policy engine designed for Kubernetes — Kubernetes-native YAML policies (no Rego). Validate, mutate, and generate resources: apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-resource-limits spec: rules: - name: check-container-limits match: resources: kinds: [Pod] validate: message: "Resource limits are required" pattern: spec: containers: - resources: limits: memory: "?*" cpu: "?*". Certificate injection: cert-manager uses Mutating Webhook to inject TLS secrets. Istio uses Mutating Webhook to inject Envoy sidecar. Webhook configuration: specify URL and CA bundle; failurePolicy: Fail vs Ignore (fail open vs closed); timeoutSeconds; namespaceSelector to exclude system namespaces.