Kubernetes v1.28.0 Validating Admission Policies

Kubernetes recently dubbed “Planternetes” with a large amount of enhancements, notably I’m covering some aspects of new releases in security features and Validating Admission Policies stood out to me. I’ve created a script using bash and kind with proper configuration for you to run this demo.

I’m running on Ubuntu you can use macOS or Windows

Requirements

  • Kubernetes 1.28.0
  • Docker Installed
  • KinD Installed
  • Kubectl Installed
  • API Server with feature gate ValidationAdmissionPolicy set to true (./create-cluster.sh)

Start creation of KinD Cluster with configuration

git clone https://github.com/sn0rlaxlife/k8s-explored.git
chmod +x create-cluster.sh
./create-cluster.sh

After the cluster is spun up we can verify our configuration by running the kubectl dump command

We can see that the configuration following this YAML below

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: "demo-policy.example.com"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.replicas <= 5"

We are declaring the Policy then we following with a binding

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "demo-binding-test.example.com"
spec:
  policyName: "demo-policy.example.com"
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchLabels:
        environment: test

So we can run a few commands and see if our policy allows

Validate Actions

Validate Actions represents in the ValidatingAdmissionPolicyBinding must specify one or more ValidateActions to specify/point to how the validations of a policy are enforced in the cluster. We are telling what actions would we like to enforce in a few ways that are added are the following Deny (If failure – results deny), Warn(Failure is reported), Audit(Failure is included in Audit Event).

The limitations at the moment appear to be not using Deny and Warn together providing example of using Deny and Audit together in YAML

validateActions: [Deny, Audit]

For instance we can tailor this to use a binding shown below

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "replicalimit-binding-test.example.com"
spec:
  policyName: "replicalimit-policy.example.com" #policy declared prior to binding
  validationActions: [Deny] # the what we want
  paramRef:
    name: "replica-limit-test.example.com"
    namespace: "default"
  matchResources:
    namespaceSelector:
      matchLabels:
        environment: production 

Prior to this I ran a “kubectl create deployment nginx –images=nginx:alpine –replicas=6 –dry-run=client -o yaml” – then edited values to include label that we were searching for

So we can see when we issue the command kubectl scale –replicas=10 rs/nginx<numbers> this won’t scale up as observed.

This should of populated a error message I’ll continue testing this out but this is going to really assist with validation inside our cluster and can also have native approach with great documentation further.

Summary

Policy as code in configuration is growing in the cloud native landscape and its welcomed to assist with the maturity of kubernetes community this is a welcomed addition I had to test immediately on release. This is one of many articles I’m going to expand on writing about the features how they can be leveraged in your day to day operations a good idea that came to mind was having this metric scraped in prometheus in a dashboard similar to Kyverno for visualization of failures on policies and logs aggregated for logs mapped correctly. Test out the new kubernetes with saving on cost by running locally or use killercoda sandbox its free for one hour to test this configuration.