Admission Control and the Rite of Judgment

Doctrine

Admission is judgment. It is the institution that decides which objects may enter the archive and which must be denied.

Kubblai doctrine treats admission as sacred precisely because it is dangerous: it sits in the write path for everything.

Operational failure modes

If you run admission webhooks in production, you must assume they will fail. Design accordingly.

• Webhook timeouts block deploys and autoscaling writes.
• Network partitions create partial denial of service.
• Bad policy rollout bricks clusters (especially when failurePolicy=Fail).
• Mutating webhooks that rewrite intent create hard-to-debug drift.

Latency as a budget

Admission latency is additive. Multiple webhooks, each ‘only a little slow,’ produce a control-plane incident.

Instrument admission time per webhook. Treat p99 as a platform SLO.

Policy rollout discipline

Roll out policy like software: canaries, staged enforcement, and explicit escape hatches. Admission should not be a cliff.

Prefer validation that fails safe; reserve fail-closed only for policies where risk is higher than availability.

Concrete operator commands

When admission is suspected, your first job is to prove it with evidence.

kubectl get validatingwebhookconfigurations,mutatingwebhookconfigurations
kubectl get events -A --sort-by=.lastTimestamp | tail -n 60
kubectl -n kube-system get pods | rg -i 'webhook|gatekeeper|kyverno' || true