Kubernetes - Webhook

Last Updated: 2023-01-29

Webhooks may run as containers in k8s; webhooks can be used to extend admission control. e.g. istio / linkerd has registered admission hooks: user submits normal yaml configs, and "Mutating Admission" stage will add the sidecar container to it.

There are 3 kinds of webhooks:

  • admission webhook. 2 types of admission webhook: mutating and validating admission webhook.
  • authorization webhook.
  • CRD conversion webhook.

Webhook vs Binary Plugin

  • Webhook model: Kubernetes makes a network request to a remote service.
  • Binary Plugin model: Kubernetes executes a binary (program). Binary plugins are used by the kubelet and by kubectl.


Gatekeeper deploys one Validating webhook and one Mutating webhook that watches all kinds in all apigroups.

It’s basically one big webhook that checks all constraints created via Gatekeeper yamls.

We cannot use Gatekeeper when the validation logic requires queries to the APIServer. For those more complicated policies, we need to write our own webhook.

How to delete Webhooks

Delete the Webhook Configurations:

$ kubectl delete mutatingwebhookconfigurations --all
$ kubectl delete validatingwebhookconfigurations --all