A hands-on demonstration of a Mutating Admission Webhook that enforces and modifies Pod security settings in real-time.
This webhook:
- π Denies Pods that attempt to run as root without explicit permission.
- 𧩠Defaults to
runAsNonRoot: trueand assignsrunAsUser: 1234if nosecurityContextis defined. - βοΈ Allows explicit root access only if
runAsNonRoot: falseis set.
We begin by creating a Secret that stores the TLS certificate and key for secure communication between the API server and the webhook.
We deploy the Admission Webhook Server as a Pod, referencing the Secret we created.
This webhook automatically injects or validates security context configurations based on defined logic.
Next, we expose the webhook via a Kubernetes Service to allow the API server to communicate securely with it.
We define a MutatingWebhookConfiguration that registers our webhook with the Kubernetes API server.
The webhook will trigger only on Pod creation requests.
We create a Pod without specifying a securityContext.
The webhook automatically adds runAsNonRoot: true and sets runAsUser: 1234.
β It worked! Default values were successfully applied.
We test if the webhook respects explicit root permission (runAsNonRoot: false).
β It works! The webhook allowed explicitly configured root containers.
We attempt to create a Pod with conflicting security settings.
The webhook correctly denies the request.
π§ Magnificent! The webhook enforcement logic works perfectly.
- MutatingAdmissionWebhooks dynamically modify or validate resources before creation.
- Webhooks must use TLS for secure communication with the API server.
- You can use them to enforce custom security policies like disallowing root containers.
- Each webhook is defined via a
MutatingWebhookConfigurationorValidatingWebhookConfiguration.
Admission Webhooks give you dynamic, policy-driven control over every Kubernetes resource β before it even exists.