Admission webhooks: the polite way to say no

A webhook that silently rewrites images without announcing itself becomes organizational debt overnight. We teach teams to publish policy links next to the webhook configuration so on-call engineers know where to read rationale. Think of it as putting the recipe on the fridge, not locked in a chef-only tablet.

Labs start with a validating configuration that only checks labels. Once that feels boring, we introduce a mutating patch that injects sidecar metadata but logs every change to an activity log your auditors can sample. Participants compare two approaches: one team centralizes changes, another federates per namespace. Both can work if documentation matches reality.

We also spend time on failure modes: apiserver latency spikes when webhook endpoints cold start. You learn to chart p99 webhook latency beside admission reject counts so product teams see correlation instead of blame. The session closes with a worksheet for deciding when to shadow a webhook before enforcing it—no absolutes, just prompts.

If your organization already runs a service mesh, we map how mesh policies intersect with admission decisions without forcing you to rip anything out. The point is shared vocabulary between platform and application engineers.