Validating edit control
If the object is a cluster scoped resource other than a Namespace, See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
API servers can make objects available via multiple API groups or versions. Here is an example of a mutating webhook configured to call a service on port “1234” at the subpath “/my-path”, and to verify the TLS connection against the Server Name sent to them.
After all object modifications are complete, and after the incoming object is validated by the API server, validating admission webhooks are invoked and can reject requests to enforce custom policies.Each configuration can contain one or more webhooks. Each webhook must specify a list of rules used to determine if a request to the API server should be sent to the webhook.Each rule specifies one or more operations, api Groups, api Versions, and resources, and a resource scope: If an incoming request matches one of the specified operations, groups, versions, resources, and scope for any of a webhook’s rules, the request is sent to the webhook.Note: Admission webhooks that need to guarantee they see the final state of the object in order to enforce policy should use a validating admission webhook, since objects can be modified after being seen by mutating webhooks.Admission webhooks are essentially part of the cluster control-plane.
This example shows a validating webhook that intercepts modifications to deployments (no matter the API group or version), and is always sent an is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. This is because a call to an admission webhook does not guarantee the admitted object will be persisted as is, or at all.