Kubernetes v1.26: More Flexible Authentication for Container Registries
Kubernetes v1.26 introduces an exciting new feature: the general availability (GA) of Kubelet …
25.12.2022
ayedo Redaktion
•
•
2 Minuten Lesezeit
Kubernetes 1.26: Revolutionary Validation Policies for Admissions
Discover the new Validating Admission Policies in Kubernetes 1.26 and streamline your development processes.
kubernetes
kubernetes-news
In Kubernetes 1.26, the first alpha version of Validating Admission Policies is available! These new policies utilize the Common Expression Language (CEL) and offer a declarative, in-process alternative to the existing validating admission webhooks.
CEL was originally introduced for validation rules for CustomResourceDefinitions in Kubernetes. This extension significantly broadens the use of CEL and supports a much wider range of use cases for admission.
What specifically changes for developers/DevOps teams?
Admission webhooks can pose a significant challenge for developers and DevOps teams. They not only have to implement and maintain a webhook binary but also ensure it is always available. If a webhook times out or is unreachable, it can lead to a failure of the Kubernetes control plane. With the new Validating Admission Policies, this complex process is greatly simplified by embedding CEL expressions directly into Kubernetes resources.
Practical examples or use cases
A simple example to restrict the number of replicas in a deployment could look like this:
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
Here, the expression field defines the CEL expression used to validate admission requests. matchConstraints specifies what types of requests this ValidatingAdmissionPolicy can validate.
To bind the policy to the appropriate resources, we use:
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"
spec:
policyName: "demo-policy.example.com"
matchResources:
namespaceSelector:
matchExpressions:
- key: environment
operator: In
values:
- test
This ValidatingAdmissionPolicyBinding resource binds the aforementioned policy only to namespaces where the label environment is set to test. Once this binding is created, the kube-apiserver begins enforcing this admission policy.
Another advantage of these new policies is their high configurability. Policy authors can define parameters and adjust the scope of the policies as needed. For example, the above admission policy can be modified as follows:
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
paramKind:
apiVersion: rules.example.com/v1 # You also need a CustomResourceDefinition for this API
kind: ReplicaLimit
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= params.maxReplicas"
Here, paramKind defines the resources used to configure the policy, and the expression field uses the params variable to access the parameter resource.
With this new functionality, managing admission policies in Kubernetes becomes not only easier but also more flexible, which is particularly beneficial for cluster administrators. ayedo is proud to be a Kubernetes partner and to help you make the most of these new features.
Source: Kubernetes Blog
Ähnliche Artikel
Kubernetes 1.26: The Device Manager is Now Ready for Everyone!
Introduction With the release of Kubernetes 1.26, the Device Manager is now generally available! …
22.12.2022
Dynamic Resource Allocation in Kubernetes 1.26: Flexibility for Developers
Introduction In the latest version of Kubernetes 1.26, there is an exciting new feature: the Alpha …
18.12.2022