Admission Controller

Admission Controller is a Kubernetes-native component that evaluates resource creation requests after they are authenticated and authorized, but before they are deployed to the cluster. It applies real-time security policies from posture controls to image scanning rules to block non-compliant workloads at deploy time. Admission Controller enables a shift-left approach by preventing risky configurations and vulnerable images from reaching production. This reduces runtime exposure and strengthens security posture across Kubernetes environments.

Prerequisites

To enable Admission Controller in your Secure SaaS account, contact Sysdig Support.

Once enabled, follow the steps on Installation and Configuration.

Features

Installing the Admission Controller enables multiple layers of security checks across runtime security, audit logging, and posture management with the following features:

  • Deploy-Time Image Scanning: Admission Controller integrates with scan policies to evaluate images at deployment time, blocking workloads that use images with CVEs, misconfigurations, or policy violations. Workloads are rejected before scheduling to a node, eliminating unnecessary risk.
  • Kubernetes Audit Logging: This feature enables Audit Detections to record API-level admission decisions, including who attempted deployments, when, and why actions were allowed or blocked. This provides a complete audit trail for security investigations and policy tuning.
  • Kubernetes Posture Enforcement: This feature applies posture policies to define best practices, such as preventing privileged containers, enforcing non-root users, or applying resource limits. The Admission Controller evaluates these policies during admission and blocks non-compliant deployments. You can assign different policies per Zone to account for environment-specific constraints (for example, staging versus production).

Key Capabilities

  • HTTP Webhook Architecture

    • Admission Controller uses HTTP webhooks instead of gRPC, improving integration, compatibility, and maintainability across Kubernetes environments.

  • Flexible Configuration and Helm Chart Enhancements

    • Granular controls to enable or disable enforcement modules based on use case. For example, enabling vulnerability validation while disabling posture management.
    • Configurable backend connection timeout settings for better reliability and control.
    • Enhanced defaulting and override options for flexible and resilient deployments.

  • Unified Enforcement Path

    • Admission Controller logic is unified with the Vulnerability Management Admission Validation Engine. This simplifies deployment architecture, reduces operational overhead, and prepares the platform for further innovation.

Benefits

  • Improved Security Posture at Deploy Time
    With Admission Controller, you can prevent insecure or vulnerable workloads from being deployed by enforcing security and compliance policies earlier in the deployment pipeline.

  • Unified Security Foundation
    This release establishes a foundation for expanding and unifying cloud-native security enforcement across Kubernetes and other environments.

How it Works

The Admission Controller uses standard Kubernetes ValidatingAdmissionWebhook architecture for Dynamic Admission Controller.

  • API server sends an AdmissionReview request to registered validating webhooks that match the object operation.

  • Webhooks run in parallel and must either allow or reject the resource, but cannot modify.

  • The resources are evaluated against the Sysdig SaaS backend to determine if they comply with applied Vulnerability or Posture Policies.

  • The server waits up to timeout duration (default 10s, max 30s). On timeout or error, failure_policy (Fail/Ignore) determines whether to reject or allow the resource.

Admission Controller Results

You can view Admission Controller events in two places within the Sysdig Secure Platform:

For examples, see Vulnerability Policies or Posture Policies.