Validating Admission Policies in Thalassa Cloud Kubernetes
Validating Admission Policies in Kubernetes provide a way to enforce security, compliance, and governance before workloads are created or modified. These policies are implemented as admission controllers that evaluate incoming API requests against predefined security rules before allowing or rejecting them.
Thalassa Cloud Kubernetes supports Validating Admission Policies to ensure clusters adhere to best practices, security standards, and organizational policies.
Capabilities of Validating Admission Policies
| Capability | Description |
|---|---|
| Security Enforcement | Ensures workloads comply with security policies before deployment. |
| Resource Validation | Prevents misconfigured Kubernetes resources from being created or updated. |
| Compliance Assurance | Enforces regulatory compliance by validating infrastructure configurations. |
| Prevent Unauthorized Actions | Blocks unauthorized modifications to sensitive Kubernetes objects. |
| Custom Policy Definition | Uses CEL (Common Expression Language) for defining flexible validation rules. |
| Failure Policy Handling | Determines whether requests should be rejected or allowed if validation fails. |
What is a Validating Admission Policy?
A Validating Admission Policy defines a set of rules that control what objects can be created, updated, or deleted in the cluster. These rules are enforced at the Kubernetes API level, allowing administrators to prevent misconfigurations and enforce compliance before resources are admitted into the cluster.
Unlike Mutating Admission Policies, which modify requests before they are persisted, Validating Admission Policies only evaluate and reject requests that do not comply with the defined policy.
Key Use Cases
Validating Admission Policies can be used to:
- Enforce security best practices (e.g., block running containers as root).
- Restrict resource quotas (e.g., prevent large CPU/memory requests).
- Control network configurations (e.g., require specific network policies).
- Ensure labeling and annotations for auditing and tracking.
- Validate image sources to restrict workloads to trusted registries.
Common Expression Language (CEL)
Validating Admission Policies in Kubernetes use Common Expression Language (CEL) to define validation rules. CEL is a simple and efficient language that enables policies to evaluate and enforce constraints on Kubernetes resources. It allows defining conditional checks without requiring complex scripting or external webhook services. See also.
Defining a Validating Admission Policy
A ValidatingAdmissionPolicy is defined as a Kubernetes resource. Below is an example policy that prevents workloads from running as root:
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
name: restrict-root-containers
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE", "UPDATE"]
validations:
- expression: "!has(object.spec.securityContext.runAsUser) || object.spec.securityContext.runAsUser != 0"
message: "Running as root is not allowed. Set a non-root user."Explanation
failurePolicy: Fail→ Rejects the request if the validation cannot be evaluated.matchConstraints→ Defines which Kubernetes objects the policy applies to.validations.expression→ Uses CEL (Common Expression Language) to enforce rules.message→ Returns an error message when a request is denied.
Applying and Testing a Policy
To apply a Validating Admission Policy in your Thalassa Cloud Kubernetes cluster:
kubectl apply -f validating-admission-policy.yamlTesting Policy Enforcement
Try creating a non-compliant pod:
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: test-container
image: busybox
securityContext:
runAsUser: 0 # Running as rootApply the pod and check if it is rejected:
kubectl apply -f pod.yamlExpected output:
Error: Running as root is not allowed. Set a non-root user.Managing and Updating Policies
To update a policy, edit the YAML file and reapply it using:
kubectl apply -f validating-admission-policy.yamlTo remove a policy:
kubectl delete validatingadmissionpolicy restrict-root-containersSummary
Validating Admission Policies in Thalassa Cloud Kubernetes help enforce security and compliance at the API level. They prevent misconfigurations, improve governance, and enhance cluster security by rejecting non-compliant resource definitions before they are created.
By defining policy-based controls, organizations can ensure consistent security enforcement across workloads and infrastructure.