A major security feature provided by Kubernetes are plugins are called “admission controllers” that can be enabled for production workloads needing advanced security. Admission controllers are either "validating", "mutating", or both. Mutating controllers may modify the objects they admit; validating controllers may not.
Mutating admission Webhooks are invoked first, and can modify objects sent to the API server to enforce custom defaults. After all object modifications are complete and the incoming object is validated by the API server, validating admission webhooks are invoked that can reject requests to enforce custom policies.
Kubernetes added support for mutating admission webhooks starting version 1.16. DeepFactor currently supports the following versions: