What are Kubernetes admission controllers and how do you implement custom admission webhooks?

Admission controllers are plugins that intercept requests to the Kubernetes API server before object persistence, enabling policy enforcement and resource modification.\n\nTypes of Admission Controllers:\n• Validating: Validate requests (accept/reject)\n• Mutating: Modify requests before validation\n• Built-in: ResourceQuota, LimitRanger, PodSecurity\n• Custom: Webhooks for organization-specific policies\n\nAdmission Webhook Flow:\n1. API request received\n2. Authentication and authorization\n3. Mutating admission webhooks\n4. Object schema validation\n5. Validating admission webhooks\n6. Object persistence to etcd\n\nExample Webhook Configuration:\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingAdmissionWebhook\nmetadata:\n name: pod-policy\nwebhooks:\n- name: validate-pods\n clientConfig:\n service:\n name: webhook-service\n namespace: default\n path: /validate\n rules:\n - operations: [CREATE]\n apiGroups: [""]\n apiVersions: [v1]\n resources: [pods]\n\nBest Practices:\n• Implement proper error handling\n• Use timeouts and failure policies\n• Validate webhook certificates\n• Monitor webhook performance\n• Test thoroughly before deployment