> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Kubernetes VAP

> Native Kubernetes ValidatingAdmissionPolicies with CEL

## Overview

Kubernetes ValidatingAdmissionPolicies (VAP) provide native admission control using CEL (Common Expression Language) expressions. Alpha in Kubernetes 1.26, beta in 1.28, and GA since 1.30, they validate resources without external webhook dependencies.

## Capabilities

* Native K8s admission control (no external controllers needed)
* CEL expressions for policy logic
* Parameter resources for reusable, configurable policies
* Audit and enforce modes

## Limitations

* Requires Kubernetes 1.30+ for stable/GA support (alpha in 1.26, beta in 1.28)
* Only applicable to Kubernetes workloads -- check out [Semgrep](/integrations/guardrails/semgrep) or [CodeQL](/integrations/guardrails/codeql) for application source code, or [Checkov](/integrations/guardrails/checkov) for IaC static analysis
* CEL is less expressive than Rego for complex logic -- check out [OPA Gatekeeper](/integrations/guardrails/gatekeeper) if you need full Rego expressiveness

## Generated Format

* **Language:** YAML (with CEL expressions)
* **Structure:** `ValidatingAdmissionPolicy` and `ValidatingAdmissionPolicyBinding` resources
* **Execution:** Applied to a K8s cluster via `kubectl apply`

## Example Guardrail

```yaml theme={null}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: require-non-root
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["pods"]
  validations:
    - expression: "object.spec.containers.all(c, has(c.securityContext) && has(c.securityContext.runAsNonRoot) && c.securityContext.runAsNonRoot == true)"
      message: "All containers must set securityContext.runAsNonRoot to true"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: require-non-root-binding
spec:
  policyName: require-non-root
  validationActions:
    - Deny
```

Learn more at [Kubernetes ValidatingAdmissionPolicy documentation](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) and [CEL language spec](https://github.com/google/cel-spec).