Skip to main content

Overview

Kubernetes ValidatingAdmissionPolicies (VAP) provide native admission control using CEL (Common Expression Language) expressions. Alpha in Kubernetes 1.26, beta in 1.28, and GA since 1.30, they validate resources without external webhook dependencies.

Capabilities

  • Native K8s admission control (no external controllers needed)
  • CEL expressions for policy logic
  • Parameter resources for reusable, configurable policies
  • Audit and enforce modes

Limitations

  • Requires Kubernetes 1.30+ for stable/GA support (alpha in 1.26, beta in 1.28)
  • Only applicable to Kubernetes workloads — check out Semgrep or CodeQL for application source code, or Checkov for IaC static analysis
  • CEL is less expressive than Rego for complex logic — check out OPA Gatekeeper if you need full Rego expressiveness

Generated Format

  • Language: YAML (with CEL expressions)
  • Structure: ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources
  • Execution: Applied to a K8s cluster via kubectl apply

Example Guardrail

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: require-non-root
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["pods"]
  validations:
    - expression: "object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == true)"
      message: "All containers must set securityContext.runAsNonRoot to true"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: require-non-root-binding
spec:
  policyName: require-non-root
  validationActions:
    - Deny
Learn more at Kubernetes ValidatingAdmissionPolicy documentation and CEL language spec.