From Fragile to Resilient: ValidatingAdmissionPolicies Strengthen Kubernetes

A presentation at Cloud Native Rejekts EU 2024 in March 2024 in Paris, France by Marcus Noble

Marcus Noble
@averagemarcus

1 / 47

In the world of Kubernetes, dynamic admission controllers have long played a pivotal role in enhancing the robustness and adaptability of clusters. For instance, the ValidatingWebhookConfiguration, which empowers users to implement intricate and finely-tuned access controls beyond the capabilities of RBAC. However, this newfound agility often comes at a price – the ease with which they can be misconfigured, potentially leading to cluster disruption and downtime.

Historically, we’ve accepted this fragility as an inevitable trade-off for greater control over our clusters. But what if we could change that narrative?

Enter ValidatingAdmissionPolicies!

In this talk we’ll take a look at what makes ValidatingAdmissionPolicies a safer choice for your validation logic and what problems they aim to solve.

We will delve into the world of ValidatingAdmissionPolicies, exploring their features and limitations. We will also draw comparisons with ValidatingWebhookConfigurations, shedding light on the problems they solve. Furthermore, I’ll provide a comprehensive walkthrough on how you can begin leveraging ValidatingAdmissionPolicies today.

Resources

The following resources were mentioned during the presentation or are useful additional information.

KEP-3488: CEL for Admission Control

Proposal for CEL based admission control (ValidatingAdmissionPolicy)
[KEP 3488] Promote ValidatingAdmissionPolicy to GA

Issue tracking the promotion of ValidatingAdmissionPolicy to GA, currently targetting v1.30
Validating Admission Policy Documentation

The official documentation for using ValidatingAdmissionPolicy
KEP-3962: Mutating Admission Policies

Proposal introducing the concept of MutatingAdmissionPolicy
MutatingAdmissionPolicy implementation PR

The work in progress PR adding the functionality for MutatingAdmissionPolicy
Webhooks - What’s the worst that could happen?

My talk from Rejekts in Chicago about the dangers of admission controller webhooks
Common Expression Language in Kubernetes

The official Kubernetes documentation on CEL, including the custom functions available.
Kyverno - Using CEL expressions

The documentation for using CEL with Kyverno policies.
Tekton - CEL expressions

The documentation for using CEL in Tekton Triggers.
cel-go library

The CEL Go library
CEL Playground

An online, interactive tool for building and testing CEL expressions.

Buzz and feedback

Here’s what was said about this presentation on social media.

Nice talk by @Marcus_Noble_ about Validating Admissions Policy in #Kubernetes. So TIL a new TLA: VAP. Keeping VAP and VPA separate in my head is going to be a challenge… @rejektsio #REJEKTS2024 pic.twitter.com/SaxcXF5Rhz
— Andy Randall 🇺🇦 (@ahrkrak) March 17, 2024
my one true love ⁦@Marcus_Noble_⁩ from @giantswarm spilling the beans on a better way for webhooks (feat. cel) pic.twitter.com/KkbPsNOS2h
— Joe Salisbury (@salisbury_joe) March 17, 2024
Now my friend @Marcus_Noble_ with "From Fragile to Resilient: ValidatingAdmissionPolicies Strengthen Kubernetes" https://t.co/Qh83dfxFfh pic.twitter.com/kE59oCfw3V
— Engin Diri (@_ediri) March 17, 2024
Look the CEL Playground helping people all over the world!🤘🏼
An amazing talk about Validation admission policies and more by @Marcus_Noble_ at @rejektsio #rejects2024 #Kubernetes @GetupCloud pic.twitter.com/FRHWscIxd1
— João Brito (@juniorjbn) March 17, 2024
Thank you everyone that came to my talk at @rejektsio

You can find my slides and links to all resources I mentioned here: https://t.co/5I5ZbKVf4R #Rejekts #Rejekts2024 #RejektsParis
— Marcus Noble (@Marcus_Noble_) March 17, 2024
I’m speaking later today at @rejektsio at 4:35pm CET

If you’re not here with us in Paris you can watch along on YouTube here: https://t.co/rSE9VLFtKZ #Rejekts2024 #Rejekts #RejektsParis
— Marcus Noble (@Marcus_Noble_) March 17, 2024
@Marcus_Noble_ is sharing all the reasons you should be using ValidatingAdmissionPolicies to harden your K8s pipeline @rejektsio pic.twitter.com/BzlucLrfnS
— Cortney Nickerson (@TechTalkingMom) March 17, 2024
Next up at #rejekts @rejektsio, @Marcus_Noble_ presents ValidatingAdmissionPolicies, a rather new Kubernetes feature becoming GA in #kubernetes 1.30 next month!

Read more about this new kind of webhook on the Kubernetes blog: https://t.co/KoARWyFIjN pic.twitter.com/r2UpdC9KSC
— Daniel Bodky (@d_bodky) March 17, 2024

From Fragile to Resilient: ValidatingAdmissionPolicies Strengthen Kubernetes

Link for this presentation:

HTML code for embedding:

Share on social media:

Resources

KEP-3488: CEL for Admission Control

[KEP 3488] Promote ValidatingAdmissionPolicy to GA

Validating Admission Policy Documentation

KEP-3962: Mutating Admission Policies

MutatingAdmissionPolicy implementation PR

Webhooks - What’s the worst that could happen?

Common Expression Language in Kubernetes

Kyverno - Using CEL expressions

Tekton - CEL expressions

cel-go library

CEL Playground

Buzz and feedback