Interview › Security & DevSecOps
What is the difference between a validating and a mutating admission webhook? [Intermediate]
Answer
A validating admission webhook approves or denies an API request. A mutating admission webhook modifies the object before validation and persistence. Mutating webhooks set defaults or inject config; validating webhooks enforce rules.
Technical explanation
Mutating examples include injecting a sidecar, adding labels, setting default resource requests, or adding securityContext defaults.
Validating examples include denying privileged pods, public LoadBalancers, missing owners, or untrusted images.
Mutation should be predictable and validation should produce clear messages so developers understand how to fix violations.
Hands-on example
Example: a mutating webhook adds runAsNonRoot: true and seccompProfile: RuntimeDefault when missing. A validating webhook denies the pod if it still requests privileged=true or hostPath volumes in a restricted namespace.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]