This is unreleased documentation for Admission Controller 1.30-next.

ValidatingAdmissionPolicy migration

Starting from Kubernetes v1.26, the ValidatingAdmissionPolicy provides a way to write custom admission policies in Kubernetes. The policies are written with the Common Expression Language (CEL), extended with some Kubernetes-specific extensions. ValidatingAdmissionPolicy reached stability in Kubernetes v1.30.

SUSE Security Admission Controller provides a CEL policy that is capable of running Kubernetes VAP policies without any modifications. You can read more about the CEL policy in this section of Admission Controller’s documentation. This paragraph explains the benefits of running VAP policies using Admission Controller.

This guide explains how to use the kwctl tool to migrate a VAP policy to Admission Controller.

Migration steps

You must use kwctl version 1.14.0 or later to follow this guide.

Given a file containing this YAML definition of a ValidatingAdmissionPolicy:

ValidatingAdmissionPolicy definition

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "force-liveness-probe"
spec:
  failurePolicy: Fail
  variables:
    - name: containers_without_liveness_probe
      expression: |
        object.spec.template.spec.containers.filter(c, !has(c.livenessProbe)).map(c, c.name)
  matchConstraints:
    resourceRules:
      - apiGroups: ["apps"]
        apiVersions: ["v1"]
        operations: ["CREATE", "UPDATE"]
        resources: ["deployments"]
  validations:
    - expression: |
        size(variables.containers_without_liveness_probe) == 0
      messageExpression: |
        'These containers are missing a liveness probe: ' + variables.containers_without_liveness_probe.join(' ')
      reason: Invalid

And a file containing the ValidatingAdmissionPolicyBinding resource:

ValidatingAdmissionPolicyBinding definition

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "kw-scaffold-demo"
spec:
  policyName: "force-liveness-probe"
  validationActions: [Deny]
  matchResources:
    namespaceSelector:
      matchLabels:
        docs.kubewarden.io/vap-migration: enabled

You can migrate the policy to Admission Controller by following these steps:

kwctl command for policy migration

$ kwctl scaffold vap \
    -p vap.yml \
    -b vap-binding.yml

The command produces output similar to this:

Output from the migration

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: kw-scaffold-demo
spec:
  module: ghcr.io/kubewarden/policies/cel-policy:latest
  settings:
    failurePolicy: Fail
    variables:
      - expression: |
          object.spec.template.spec.containers.filter(c, !has(c.livenessProbe)).map(c, c.name)
        name: containers_without_liveness_probe
    validations:
      - expression: |
          size(variables.containers_without_liveness_probe) == 0
        messageExpression: |
          'These containers are missing a liveness probe: ' + variables.containers_without_liveness_probe.join(' ')
        reason: Invalid
  rules:
    - apiGroups:
        - apps
      apiVersions:
        - v1
      resources:
        - deployments
      operations:
        - CREATE
        - UPDATE
  mutating: false
  namespaceSelector:
    matchLabels:
      docs.kubewarden.io/vap-migration: enabled

The command warns the user about the usage of the latest version of the CEL policy:

024-06-24T16:00:16.516062Z  WARN kwctl::scaffold:
  Using the 'latest' version of the CEL policy could lead to unexpected behavior.
  It is recommended to use a specific version to avoid breaking changes.

It’s recommended to use a specific version to avoid breaking changes.

You can do this using the --cel-policy flag, like this:

$ kwctl scaffold vap \
    --cel-policy ghcr.io/kubewarden/policies/cel-policy:v1.0.1 \
    -p vap.yml \
    -b vap-binding.yml