Admission control takes place before Kubernetes processes the request and after authentication and authorization is passed. It's enabled when launching an API server by adding the --admission-control parameter. Kubernetes recommends having the following plugins within the cluster if the cluster version is greater than or equal to 1.10.0:

--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota

The following sections introduce these plugins and why we need them. For the latest information about supported admission control plugins, please visit the official documentation: https://kubernetes.io/docs/admin/admission-controllers.