Skip to content

ingress-nginx admission webhooks

ingress-nginx admission webhooks are validation mechanisms automatically deployed during the installation of the ingress-nginx controller. They function as Kubernetes Admission Webhooks to verify the correctness of Ingress resources before they are accepted by the cluster^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].

Deployment

When the ingress-nginx controller is installed—for example, by applying a standard deployment manifest—Kubernetes automatically creates the resources required for these webhooks^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].

The specific resources created include: * validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission * service/ingress-nginx-controller-admission * Roles and ClusterRoles (ingress-nginx-admission) * Jobs (ingress-nginx-admission-create, ingress-nginx-admission-patch)

^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md]

Operation

The admission control process is initialized by two distinct jobs that run immediately after the deployment command is issued^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].

  1. ingress-nginx-admission-create: This job typically generates the necessary secrets or configuration required by the webhook server^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].
  2. ingress-nginx-admission-patch: This job updates or patches existing configurations to ensure the webhook is correctly integrated into the admission chain^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].

Once these jobs have completed their tasks, the underlying ingress-nginx-admission pods transition to a Completed status^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md]. The validation service itself runs as a ClusterIP service named ingress-nginx-controller-admission^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md].

Sources

^[400-devops__06-Kubernetes__k8s-learning__06.ingress__README.md]