Dynamic Admission Webhooks Overview

From Kubernetes mutating and validating webhook mechanisms:

Istio uses ValidatingAdmissionWebhooks for validating Istio configuration and MutatingAdmissionWebhooks for automatically injecting the sidecar proxy into user pods.

The webhook setup guides assuming general familiarity with Kubernetes Dynamic Admission Webhooks. Consult the Kubernetes API references for detailed documentation of the Mutating Webhook Configuration and Validating Webhook Configuration.

Verify dynamic admission webhook prerequisites

See the platform setup instructions for Kubernetes provider specific setup instructions. Webhooks will not function properly if the cluster is misconfigured. You can follow these steps once the cluster has been configured and dynamic webhooks and dependent features are not functioning properly.

  1. Verify you’re using a supported version (1.17, 1.18, 1.19, 1.20) of kubectl and of the Kubernetes server:

    $ kubectl version --short
    Client Version: v1.19.0
    Server Version: v1.19.1
    
  2. admissionregistration.k8s.io/v1 should be enabled

    $ kubectl api-versions | grep admissionregistration.k8s.io/v1
    admissionregistration.k8s.io/v1
    admissionregistration.k8s.io/v1beta1
    
  3. Verify MutatingAdmissionWebhook and ValidatingAdmissionWebhook plugins are listed in the kube-apiserver --enable-admission-plugins. Access to this flag is provider specific.

  4. Verify the Kubernetes api-server has network connectivity to the webhook pod. e.g. incorrect http_proxy settings can interfere api-server operation (see related issues here and here for more information).

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!