Skip to content
Latchkey

What Is a Validating Webhook?

A validating admission webhook runs after any mutating webhooks and returns only an allow or deny decision for the final object. It cannot change the resource, so its sole job is to enforce constraints such as required fields or forbidden settings. If any validating webhook denies the request, the API server rejects it.

Why it matters

Validation is the last gate before a resource is persisted, making it the right place for hard policy enforcement. Running after mutation ensures the object checked is exactly what will be stored.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →