Kubernetes VAP

Documentation Index

Fetch the complete documentation index at: https://docs.zenable.io/llms.txt

Use this file to discover all available pages before exploring further.

​

Overview

​

Capabilities

• Native K8s admission control (no external controllers needed)
• CEL expressions for policy logic
• Parameter resources for reusable, configurable policies
• Audit and enforce modes

​

Limitations

• Requires Kubernetes 1.30+ for stable/GA support (alpha in 1.26, beta in 1.28)
• Only applicable to Kubernetes workloads — check out Semgrep or CodeQL for application source code, or Checkov for IaC static analysis
• CEL is less expressive than Rego for complex logic — check out OPA Gatekeeper if you need full Rego expressiveness

​

Generated Format

• Language: YAML (with CEL expressions)
• Structure: ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources
• Execution: Applied to a K8s cluster via kubectl apply

​

Example Guardrail

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: require-non-root
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["pods"]
  validations:
    - expression: "object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == true)"
      message: "All containers must set securityContext.runAsNonRoot to true"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: require-non-root-binding
spec:
  policyName: require-non-root
  validationActions:
    - Deny