Kubernetes Role Based Access Controls (RBAC) provide some level of control over the resources hosted by a cluster. However, RBAC can only allow top level resources, like deployments or pods, to be created.
A pod can host almost anything, so it’s often not enough to allow or disallow the deployment of a pod. Instead, teams need to inspect the properties of a given pod before allowing or denying them.
Admission controllers provide the ability to inspect, modify, accept, or reject new resources by passing them to a custom service. This allows a fine-grained level of control over resources created in a cluster and ensures only those resources that meet your particular requirements are deployed.