Mutating Admission Policies — CEL-Based Policies, Webhook Alternatives

Tại Sao CEL Policies Quan Trọng

Webhooks provide flexibility nhưng come with overhead (network latency, complexity, reliability). CEL-based admission policies provide alternative: lightweight, local evaluation.

What is CEL?

Common Expression Language - simplistic expression syntax:

cel: 'object.spec.replicas < 100'
cel: 'has(object.metadata.labels.app)'
cel: 'object.metadata.name.startsWith("prod-")'

Mutating Admission Policies

Differences from Webhooks

Aspect	Webhook	CEL Policy
Execution	Remote HTTP call	Local, in-process
Latency	~10-100ms	~1-5ms
Language	Any (Go, Python, etc)	CEL only
Capability	Full code power	Limited to CEL syntax
Mutation	Full object modification	Structured patches
Debugging	Server logs	Policy details visible

Basic Example

yaml

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: pod-label-injector
spec:
  paramRef:
    name: pod-label-config
  matchConstraints:
    resourceRules:
    - resources: ["pods"]
      operations: ["CREATE"]
  mutations:
  - patchTemplate: |
      spec:
        labels:
          injected-timestamp: '{{ now }}'
  failurePolicy: ignore

CEL Expressions for Validation & Mutation

Validation Expression

yaml

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: pod-security
spec:
  validations:
  - expression: '!object.spec.securityContext.privileged || object.metadata.namespace == "system"'
    message: "Privileged pods only allowed in system namespace"
  
  - expression: 'object.spec.containers.all(c, c.image != null)'
    message: "All containers must specify image"
  
  - expression: 'object.metadata.labels.get("team", "") != ""'
    message: "Pods must have team label"

Mutation Expression

yaml

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: pod-defaults
spec:
  mutations:
  - patchTemplate: |
      metadata:
        labels:
          # Add default labels if missing
          app: {{ object.metadata.labels.get("app", "unknown") }}
          env: {{ object.metadata.labels.get("env", "dev") }}

Production Patterns

Pattern: Combining with Webhooks

yaml

# Use webhooks untuk complex logic
# Use CEL policies untuk simple rules

# CEL: Fast, lightweight validation
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: basic-checks
spec:
  validations:
  - expression: 'object.spec.replicas > 0'

# Webhook: Complex business logic
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
webhooks:
- name: complex-validation.example.com
  timeoutSeconds: 5

Reference Documentation

Kubernetes Admission Control Policies

Summary

CEL policies: Local, fast alternative tới webhooks
Tradeoff: Simpler syntax vs full programming language
Use case: Validation rules, simple mutations
Webhooks still needed: Complex transformations, external system calls

Mutating Admission Policies — CEL-Based Policies, Webhook Alternatives ​

Tại Sao CEL Policies Quan Trọng ​

What is CEL? ​

Mutating Admission Policies ​

Differences from Webhooks ​

Basic Example ​

CEL Expressions for Validation & Mutation ​

Validation Expression ​

Mutation Expression ​

Production Patterns ​

Pattern: Combining with Webhooks ​

Reference Documentation ​

Summary ​

Mutating Admission Policies — CEL-Based Policies, Webhook Alternatives

Tại Sao CEL Policies Quan Trọng

What is CEL?

Mutating Admission Policies

Differences from Webhooks

Basic Example

CEL Expressions for Validation & Mutation

Validation Expression

Mutation Expression

Production Patterns

Pattern: Combining with Webhooks

Reference Documentation

Summary