Kubernetes recently dubbed “Planternetes” with a large amount of enhancements, notably I’m covering some aspects of new releases in security features and Validating Admission Policies stood out to me. I’ve created a script using bash and kind with proper configuration for you to run this demo.
I’m running on Ubuntu you can use macOS or Windows
Requirements
- Kubernetes 1.28.0
- Docker Installed
- KinD Installed
- Kubectl Installed
- API Server with feature gate ValidationAdmissionPolicy set to true (./create-cluster.sh)
Start creation of KinD Cluster with configuration
git clone https://github.com/sn0rlaxlife/k8s-explored.git
chmod +x create-cluster.sh
./create-cluster.shAfter the cluster is spun up we can verify our configuration by running the kubectl dump command
We can see that the configuration following this YAML below
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"We are declaring the Policy then we following with a binding
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"
spec:
policyName: "demo-policy.example.com"
validationActions: [Deny]
matchResources:
namespaceSelector:
matchLabels:
environment: test
So we can run a few commands and see if our policy allows
Validate Actions
Validate Actions represents in the ValidatingAdmissionPolicyBinding must specify one or more ValidateActions to specify/point to how the validations of a policy are enforced in the cluster. We are telling what actions would we like to enforce in a few ways that are added are the following Deny (If failure – results deny), Warn(Failure is reported), Audit(Failure is included in Audit Event).
The limitations at the moment appear to be not using Deny and Warn together providing example of using Deny and Audit together in YAML
validateActions: [Deny, Audit]For instance we can tailor this to use a binding shown below
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "replicalimit-binding-test.example.com"
spec:
policyName: "replicalimit-policy.example.com" #policy declared prior to binding
validationActions: [Deny] # the what we want
paramRef:
name: "replica-limit-test.example.com"
namespace: "default"
matchResources:
namespaceSelector:
matchLabels:
environment: production 
Prior to this I ran a “kubectl create deployment nginx –images=nginx:alpine –replicas=6 –dry-run=client -o yaml” – then edited values to include label that we were searching for
So we can see when we issue the command kubectl scale –replicas=10 rs/nginx<numbers> this won’t scale up as observed.
This should of populated a error message I’ll continue testing this out but this is going to really assist with validation inside our cluster and can also have native approach with great documentation further.
Summary
Policy as code in configuration is growing in the cloud native landscape and its welcomed to assist with the maturity of kubernetes community this is a welcomed addition I had to test immediately on release. This is one of many articles I’m going to expand on writing about the features how they can be leveraged in your day to day operations a good idea that came to mind was having this metric scraped in prometheus in a dashboard similar to Kyverno for visualization of failures on policies and logs aggregated for logs mapped correctly. Test out the new kubernetes with saving on cost by running locally or use killercoda sandbox its free for one hour to test this configuration.