Creating a Mutating Admission Controller Webhook for Kubernetes

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Admission controllers affect what actions we let occur on our Kubernetes clusters, either by validating and approving or denying them, or by changing the actual API request objects itself. To alter these objects, we leverage a MutatingAdmissionsWebhook, which parses and updates the object before validation and deployment. In this lab, we’ll write one of these webhooks!

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Write Response

Within the webhooks/label-add-webhook/ directory, update the app/server.js file to create a response object.

Create JSON Patch

Generate a file containing the label information in the appropriate format. Encode it and add it to the response object.

Deploy and Test

If using your own image:

  1. Generate certs.
  2. Update label-add-webhook-registration.yaml with the Base64-encoded output of app/ca.crt.
  3. Log in to Docker; tag and push to repo.
  4. Update label-add-webhook-deploy.yaml with your user name instead of linuxacademycontent.
  5. Deploy webhook and test as described in the instructions.

If using the provided test image: Deploy webhook as described in the instructions.

Additional Resources


You are a DevOps engineer growing tired of having to force everyone to tag their images appropriately. To fix this issue in part, you have resolved to create a mutating admission controller to add the label env=dev to all pods deployed on the dev Kubernetes cluster.

Before You Start

Basic code has been provided within the cloud_user's home directory, under webhooks/label-add-webhook. A fully functioning example is provided under webhooks/example.

You have the option to use the code you write to create your own Docker image or use the one provided with the sample code (linuxacademtcontent/k8s-label-add-webhook:1.0).

To deploy the webhook and test when finished writing the response, run:

cat app/ca.crt | base64 -w 0

Copy the output and update label-add-webhook-registration.yaml with the new encoded cert. Continue:

kubectl apply -f label-add-webhook-deploy.yaml
kubectl apply -f label-add-webhook-registration.yaml

Wait for webhook to launch (kubectl get pods).

kubectl apply -f test-pod.yaml

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?