SUSE Security Admission Controller

Admission Controller and OPA Gatekeeper are both CNCF policy engines for Kubernetes. But, Admission Controller supports policies written in multiple languages and distributed as OCI artifacts, while Gatekeeper uses Rego and embeds policies in Custom Resources. Admission Controller offers more flexible deployment, granular resource access, and policy distribution via container registries, whereas Gatekeeper relies on a single evaluation server and cluster-wide CRDs.

The Admission Controller audit scanner continuously checks cluster resources for compliance with deployed policies. This helps administrators identify workloads that violate current security or configuration rules. It works by simulating admission requests for existing resources and requires specific RBAC permissions to generate policy reports and access necessary data.

Admission Controller policies are distributed as annotated WebAssembly binaries, which can be stored in OCI-compliant registries for easy access and management in Kubernetes clusters. The guide explains how to annotate policies with metadata using kwctl and push them to a registry, so the policy server can correctly execute and reference them.

Mutating policies in Admission Controller can modify incoming Kubernetes objects before they are admitted, but must be carefully reviewed to avoid introducing vulnerabilities or infinite mutation loops with other controllers. There are examples of how to configure and test mutating policies, setting the mutating field appropriately for safe operation.

Admission Controller integrates with Kubernetes, using controllers, CRDs, and webhooks to check policies written as WebAssembly modules and distributed as OCI artifacts. Its architecture supports multiple PolicyServers for flexible, fine-grained policy enforcement. Admission Controller ensures secure, isolated, and efficient admission control across the cluster.

The common tasks guide covers how to find, test, and enforce Admission Controller policies using Artifact Hub and the kwctl CLI tool, including steps for local evaluation and deployment in a Kubernetes cluster. It also provides examples for generating and applying ClusterAdmissionPolicy resources, and points to further documentation for writing and distributing policies.

The quick start describes how to install and configure the controller in Kubernetes using Helm charts, and introduces its main components for managing cluster and namespace policies. It provides an example of enforcing a policy to restrict privileged containers and explains how to uninstall the stack.

SUSE Security Admission Controller is a Kubernetes policy engine. It enables flexible policy enforcement using portable WebAssembly modules. It allows administrators to write policies in any language that supports Wasm, distribute them securely, and enforce security, compliance, and resource controls at cluster admission.

Testing Admission Controller policies.

How Admission Controller uses signed provenance, SBOMs, and artifacts to check supply chain security. There is step-by-step instructions for verifying container images, Helm charts, binaries, and policies using Sigstore's cosign tool.

Admission Controller policies are WebAssembly plug-ins that validate, mutate, or reject Kubernetes admission requests using an API loaded by the policy server. You can write policies in any language supporting WebAssembly and the waPC communication protocol.