This policy is a meta-policy that allows to run CEL expressions against Kubernetes resources. A meta-policy is a policy that can be configured via settings, and does not require to be recompiled to change its behavior, acting as a DSL.
The settings of the policy are compliant with the ValidatingAdmissionPolicy Kubernetes resource, please refer to writing a policy for more information on what fields are supported. Under the hood, the policy uses CEL and Kubernetes CEL libraries, this allows to use the same CEL syntax and functions that are available in Kubernetes.
Both validations
and variables
fields are supported.
The policy provides the following variables:
request
: the admission requestobject
: the Kubernetes resource being validatedoldObject
: the Kubernetes resource before the update, nil if the request is not an updatenamespaceObject
: the namespace of the resource being validated
The policy will be evaluated as allowed
if all the CEL expressions are evaluated as true
.
It is required that the validations expression is a boolean, otherwise the policy will not pass the settings validation phase.
A message
or a messageExpression
can be specified to provide a custom message when the policy is evaluated as false
.
The messageExpression
will be evaluated as a CEL expression, and the result will be used as the message.
It is required that the message expression is a string, otherwise the policy will not pass the settings validation phase.
For more information about variables and validation expressions, please refer to the ValidatingAdmissionPolicy Kubernetes resource.
Given the following ValidatingAdmissionPolicy
:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
variables:
- name: replicas
expression: "object.spec.replicas"
validations:
- expression: "variables.replicas <= 5"
message: "The number of replicas must be less than or equal to 5"
the Kubewarden CEL policy can be written as follows:
apiVersion: policies.kubewarden.io/v1
kind: AdmissionPolicy
metadata:
annotations:
io.kubewarden.policy.category: Resource validation
io.kubewarden.policy.severity: low
name: "demo-policy.example.com"
spec:
module: registry://ghcr.io/kubewarden/policies/cel-policy:latest
settings:
variables:
- name: "replicas"
expression: "object.spec.replicas"
validations:
- expression: "variables.replicas <= 5"
message: "The number of replicas must be less than or equal to 5"
rules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
mutating: false
backgroundAudit: false
Kubewarden's host capabilities can be accessed by CEL extension libraries available in the policy environment.
The following host capabilities are available:
Capability | Description | Documentation |
---|---|---|
kubernetes | Access to Kubernetes resources in the cluster | Kubernetes |
sigstore | Sigstore (secure supply chain) support | Sigstore |
oci | Interact with container registries | OCI |
crypto | Host-side cryptographic functions | Crypto |
net | Network operations | Net |
At the moment the policy does not support the following Kubernetes extensions: