ValidatingAdmissionPolicy is a new Kubernetes plugin designed to manage access to Kubernetes resources. It validates which users, groups, or service accounts are allowed to perform specific actions — such as CREATE, DELETE, UPDATE, or CONNECT — on various Kubernetes resources.
It helps reduce malicious activities within the Kubernetes cluster and enhances overall security. Acting as a gatekeeper in front of Kubernetes resources, it ensures that only authenticated and authorized requests are allowed to perform actions on the cluster.
Validating admission policies uses the Common Expression Language (CEL) to declare the validation rules of a policy.
When a request is sent from the API server to apply or modify Kubernetes resources, the Validating Admission Webhooks intercept it to prevent unauthenticated or invalid requests. The image below illustrates the detailed flow of the Kubernetes API server.
Let’s see why we might need to use a Validating Admission Policy in our Kubernetes cluster.
Use case: We want only the DevOps group to have permission to create, update, or delete on ArgoCD Custom Resources (Argocds), while preventing other groups in the cluster from performing these actions.
One practical way to achieve this is by creating a ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources at the cluster level.
This resource is introduced at the cluster-wide level.
Below is a sample Validating Admission Policy:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: check-argocds-operation
namespace: kube-system
spec:
matchConstraints:
resourceRules:
- apiGroups:
- "argoproj.io"
apiVersions:
- "v1alpha1"
operations:
- "CREATE"
- "UPDATE"
- "DELETE"
resources:
- "argocds"
failurePolicy: Fail
variables:
- name: requestedUsername
expression: 'request.userInfo.username'
validations:
- expression: '("devops-group" in request.userInfo.groups) || ( request.userInfo.username == "system:serviceaccount:openshift-gitops-operator:openshift-gitops-operator-controller-manager") '
messageExpression: >-
variables.requestedUsername
**
Explanation of the YAML Sample
**Here’s a brief explanation of the YAML manifest I created:
resourceRules:
This is one of the most important parts of the manifest. You must define the apiGroups and apiVersions for your target resource. (For more details about Kubernetes components, refer to the official Kubernetes documentation.)
Operations:
Specifies which actions (e.g., CREATE, UPDATE, DELETE) should trigger validation.
Resources:
Defines which Kubernetes resources the policy applies to. In this example, the resource is argocds, which we want to validate.
failurePolicy (optional):
Determines how the webhook behaves if it fails. Options include:
- Fail — Reject the request.
- Ignore — Allow the request to proceed, skipping webhook validation.
variables (optional):
You can define variables to use in the messageExpression.This helps display clearer messages for users who don’t have permission to perform certain actions. It’s also useful for debugging the contents of your request object.
validations:
Contains the list of validation expressions. In this example, the policy checks the requester’s username and group. The expression used here was tested on OpenShift.
The message expression defined earlier is used to display a clear message to users who lack sufficient permissions to act.
Finally, to apply the policy to the cluster, we need to create a ValidatingAdmissionPolicyBinding object. The YAML example below demonstrates how to use it.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: argocds-operation-validating-binding
spec:
policyName: check-argocds-operation
validationActions:
- "Deny" # Warn, Audit
validationActions: If the validation expression (defined in the ValidatingAdmissionPolicy) is false, it means the user does not have sufficient permissions to apply the specified action. In this example, the action denies the user from performing operations on the cluster.
Summary
ValidatingAdmissionPolicies in Kubernetes controls access to cluster resources by determining which users, groups, or service accounts can perform actions. They act as a gatekeeper, reducing malicious activity and ensuring that only authenticated and authorized requests are allowed. We discussed the ValidatingAdmissionPolicy plugin and explored an example demonstrating its usage in the Kubernetes cluster. To enforce the policy across the cluster, it is necessary to create a ValidatingAdmissionPolicyBinding resource.
Top comments (0)