https://backend-engineering-strategy-tools.github.io/site/tags/admission-control/Recent content in Admission-Control on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usMon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/<p>Kubernetes has three distinct policy enforcement mechanisms. They sit at the same point in the request lifecycle — the admission controller — but differ in language, capability, and operational complexity.</p> <table> <thead> <tr> <th></th> <th>Kyverno</th> <th>Gatekeeper (OPA)</th> <th>ValidatingAdmissionPolicy</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>YAML/JMESPath</td> <td>Rego</td> <td>CEL</td> </tr> <tr> <td>Native to K8s</td> <td>No (CRD)</td> <td>No (CRD)</td> <td>Yes (built-in)</td> </tr> <tr> <td>Validate</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Mutate</td> <td>Yes</td> <td>Limited</td> <td>Yes (1.32+)</td> </tr> <tr> <td>Generate</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Image verify</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>GA since</td> <td>—</td> <td>—</td> <td>K8s 1.30</td> </tr> <tr> <td>Good for</td> <td>Full-featured, K8s-native feel</td> <td>Rego-first teams, policy-as-data</td> <td>Simple rules, no extra install</td> </tr> </tbody> </table> <h2 id="validatingadmissionpolicy-vap">ValidatingAdmissionPolicy (VAP) </h2><p>Added in Kubernetes 1.26, <strong>GA in 1.30</strong>. Policies are built into the API server — no admission controller to deploy or maintain. Policy is written in <strong>CEL</strong> (Common Expression Language), a simple expression language also used in Kubernetes&rsquo; <code>x-kubernetes-validations</code> CRD validation.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">failurePolicy</span>: <span style="color:#ae81ff">Fail</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchConstraints</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">resourceRules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;apps&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">apiVersions</span>: [<span style="color:#e6db74">&#34;v1&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">operations</span>: [<span style="color:#e6db74">&#34;CREATE&#34;</span>, <span style="color:#e6db74">&#34;UPDATE&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: [<span style="color:#e6db74">&#34;deployments&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">validations</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">expression</span>: &gt;<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> object.spec.template.spec.securityContext.runAsNonRoot == true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Pods must run as non-root&#34;</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicyBinding</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root-binding&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">policyName</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validationActions</span>: [<span style="color:#ae81ff">Deny]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchResources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespaceSelector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchLabels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enforce-policy</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span></code></pre></div><p>The <code>ValidatingAdmissionPolicyBinding</code> scopes where a policy applies — cluster-wide, specific namespaces, or by label selector.</p> <h3 id="cel-basics">CEL basics </h3><p>CEL expressions have access to <code>object</code> (the incoming resource), <code>oldObject</code> (for updates), <code>request</code> (metadata, user, etc.), and <code>params</code> (a referenced ConfigMap or CRD for parameterisation).</p> <pre tabindex="0"><code># Simple field check object.spec.replicas &lt;= 10 # Nested optional field (use ?. for optional traversal) object.spec.template.spec.?securityContext.?runAsNonRoot == optional.of(true) # List comprehension — all containers must have limits object.spec.template.spec.containers.all(c, has(c.resources) &amp;&amp; has(c.resources.limits) ) # String operations object.metadata.name.startsWith(&#34;prod-&#34;) </code></pre><h3 id="mutatingadmissionpolicy">MutatingAdmissionPolicy </h3><p>Added in Kubernetes 1.32 (alpha). Brings CEL-based mutation — set defaults, inject labels, patch fields — without Kyverno or a webhook. Still early; not production-ready yet.</p> <h2 id="gatekeeper">Gatekeeper </h2><p>OPA running as a Kubernetes admission controller. Policies are written in Rego and stored as <code>ConstraintTemplate</code> CRDs. The separation between template (the Rego logic) and constraint (the enforcement configuration + parameters) is the key design pattern.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">templates.gatekeeper.sh/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConstraintTemplate</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8srequiredlabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">crd</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">names</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validation</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">openAPIV3Schema</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">properties</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">array</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">items</span>: {<span style="color:#f92672">type</span>: <span style="color:#ae81ff">string}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">targets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">target</span>: <span style="color:#ae81ff">admission.k8s.gatekeeper.sh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">rego</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> package k8srequiredlabels </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> provided := {label | input.review.object.metadata.labels[label]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> required := {label | label := input.parameters.labels[_]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> missing := required - provided </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> count(missing) &gt; 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> msg := sprintf(&#34;missing required labels: %v&#34;, [missing]) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">constraints.gatekeeper.sh/v1beta1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-team-label</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#e6db74">&#34;Namespace&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">parameters</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: [<span style="color:#e6db74">&#34;team&#34;</span>, <span style="color:#e6db74">&#34;environment&#34;</span>] </span></span></code></pre></div><p>Gatekeeper also supports <strong>audit mode</strong> — it continuously evaluates existing resources against policies and surfaces violations without blocking. Useful for measuring compliance against policies you&rsquo;re not yet ready to enforce.</p> <h3 id="gatekeeper-vs-kyverno">Gatekeeper vs Kyverno </h3><p>Kyverno is better if your team does not know Rego and wants policies that look like Kubernetes manifests. Gatekeeper is better if you are already invested in OPA/Rego and want a single policy language across K8s and non-K8s surfaces (via Conftest).</p> <p>The K8s-native VAP is the right default for simple validation rules on new clusters — no extra install, but it does not cover mutation (until 1.32+), generation, or image verification.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://open-policy-agent.github.io/gatekeeper/" target="_blank" rel="noopener" >Gatekeeper documentation</a></li> <li><a class="link" href="https://github.com/open-policy-agent/gatekeeper-library" target="_blank" rel="noopener" >Gatekeeper library</a> — ready-made ConstraintTemplates</li> <li><a class="link" href="https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/" target="_blank" rel="noopener" >ValidatingAdmissionPolicy docs</a></li> <li><a class="link" href="https://kubernetes.io/docs/reference/using-api/cel/" target="_blank" rel="noopener" >CEL in Kubernetes</a></li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/" >Kyverno</a> — separate note</li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/Mon, 01 Jan 2024 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/<p>Kyverno is a policy engine for Kubernetes. It runs as an admission controller and intercepts every resource creation or update, applying rules that validate, mutate, or generate resources. Policies are written as Kubernetes CRDs in YAML — no Rego, no separate language to learn. If you can write a Kubernetes manifest, you can write a Kyverno policy.</p> <h2 id="three-rule-types">Three rule types </h2><p><strong>Validate</strong> — reject resources that don&rsquo;t meet requirements:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">kyverno.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ClusterPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-labels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">rules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">check-team-label</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">any</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#ae81ff">Deployment]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validate</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Deployments must have a &#39;team&#39; label.&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">pattern</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">team</span>: <span style="color:#e6db74">&#34;?*&#34;</span> </span></span></code></pre></div><p><strong>Mutate</strong> — automatically add or modify fields on admission:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">add-default-resources</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">any</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#ae81ff">Pod]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mutate</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">patchStrategicMerge</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">containers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">(name)</span>: <span style="color:#e6db74">&#34;*&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">requests</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">+(memory)</span>: <span style="color:#e6db74">&#34;64Mi&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+(cpu)</span>: <span style="color:#e6db74">&#34;250m&#34;</span> </span></span></code></pre></div><p><strong>Generate</strong> — create related resources automatically. A common use: generate a <code>NetworkPolicy</code> every time a new namespace is created.</p> <h2 id="enforcement-vs-audit">Enforcement vs audit </h2><p>Policies run in <code>enforce</code> mode (block non-compliant resources) or <code>audit</code> mode (allow but report violations). Audit mode is the right starting point — understand your existing state before enforcing.</p> <h2 id="common-policies">Common policies </h2><p>The <a class="link" href="https://kyverno.io/policies/" target="_blank" rel="noopener" >Kyverno policy library</a> has ready-made policies for common requirements: disallow privileged containers, require image tags to not be <code>latest</code>, enforce resource limits, restrict hostPath mounts. Most teams start from the library and customise.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://kyverno.io/docs/" target="_blank" rel="noopener" >Kyverno documentation</a></li> <li><a class="link" href="https://kyverno.io/policies/" target="_blank" rel="noopener" >Kyverno policy library</a></li> </ul>