The ECR validation webhook is an example of a serverless admission controller for Kubernetes. While dynamic admission controllers such as the mutating and validation webhooks are often run within the cluster, it is not required. The ValidatingWebhookConfiguration spec includes a URL field that allows you to reference an arbitrary URL so long as it begins with "https://". This flexibility allows you to run your webhook as an HTTP API endpoint backed by an AWS Lambda function.
This particular project runs a validation webhook that inspects the images referenced in pods. If the image is being pulled from an ECR registry, the webhook calls the DescribeImageScanFindings API to see whether the referenced images have critical vulnerabilities. When found, the webhook responds with False which tells the API to reject the request. It also returns a message with a list of CVEs related to the vulnerabilities discovered. These appear as events within Kubernetes.