They're executed in two phases:
They may be either:
- MutatingAdmissionConfigurations, which may modify or reject the request;
- ValidatingAdmissionConfigurations, which may only reject the request; or
- both MutatingAdmissionConfigurations and ValidatingAdmissionConfigurations, meaning that they run twice.
The list of built-in admission plugins can be found with
kube-apiserver --help | grep enable-admission-plugins.
--enable-admission-plugins API Server switch may be used to enable built-in admission control plugins, and
--disable-admission-plugins disabled the specified plugins even if they'd be enabled by default.