Extending Kubernetes Admission Control: Dynamic Cross-Resource Policy Validation

Kubernetes’ ValidatingAdmissionPolicy API enables powerful declarative policy enforcement, but managing ValidatingAdmissionPolicyBindings at scale is challenging. At ServiceNow, we found that we would need to deploy and constantly maintain hundreds of bindings per policy in each of our clusters.

To solve this, we built an operator to integrate with the ValidatingAdmissionPolicy API by modifying the resource referenced in ValidatingAdmissionPolicyBinding's paramRef, enabling dynamic cross-resource validation. The operator transfers data from source-of-truth resources into paramRef resource of the ValidatingAdmissionPolicyBindings, keeping policies consistent and replacing the need for hundreds of bindings to distinct resources.

We’ll dive deep into the solution and demo how the operator provides a manageable way to implement sophisticated validation scenarios, such as implementing policy exemption mechanisms or tying the policy management configuration to your fleet-management system.

Maximum-Security Clusters: Solving the ValidatingAdmissionPolicy Fail-Closed Dilemma

ValidatingAdmissionPolicy (VAP) gives us a declarative way to enforce security in Kubernetes. But when we tried to run the policies in fail-closed mode we ran into a problem we didn’t expect.

VAP lets you reference external parameter objects in its policies, which is exactly what individual governance teams need. Exemption lists, approved registries, namespace allow-lists all change frequently and shouldn’t require updating the policy definition itself.

The implementation of this separation of concerns introduces a difficult choice on what happens if the referenced resource is not present.
The options are:
- Deny: block every workload, or
- Allow: skip policy validation.

Neither option is acceptable. Deny risks cluster-wide outages. Allow silently weakens security.

To safely run in fail-closed mode, we had to guarantee that none of the referenced parameter objects are ever absent. The real challenge wasn’t writing the policy — it was solving the lifecycle and distribution problem behind those references. Without that, fail-closed enforcement simply isn’t safe.

In this talk, I’ll share how we approached this challenge in a global enterprise Kubernetes platform. We'll dive deep into the operator we built to continuously reconcile governance-owned parameter objects into each cluster, enabling fail-closed enforcement without risking widespread disruption.

More importantly, I’ll focus on the patterns behind the solution:

- Designing VAP policies with clean separation of concerns
- Managing parameter object lifecycle safely at scale
- Preventing outages caused by missing cross-resource references
- Extending VAP with templating and multi-object targeting

If you’re trying to move from “best-effort” policy enforcement to a reliable fail-closed security implementation with a distributed governance model, this session will give you practical patterns you can apply in any environment.

First public delivery: This talk has not been presented at any previous conference or event.

Session format: 30-minute session presentation with two speakers (both from ServiceNow, platform engineering team). We will split the talk between the problem space (VAP's paramRef fail-closed dilemma) and the solution (operator architecture and live demo).

Target audience: Intermediate to advanced Kubernetes practitioners — platform engineers, security engineers, and cluster operators who are evaluating or already implementing ValidatingAdmissionPolicy for policy enforcement. Familiarity with Kubernetes admission control concepts is assumed.

Production context: The patterns presented are running in production across 50+ clusters spanning multiple regions in a global enterprise Kubernetes platform. This is a real-world case study, not a proof of concept.

Live demo included: We will include a live demonstration showing the operator reconciling parameter objects and the fail-closed enforcement behavior when references are present vs. absent.

Open source: The operator discussed in this talk is being open-sourced ahead of the event. Regardless of that, the talk focuses on reusable patterns that are universally applicable.

Suggested tracks: Security or Platform Engineering.

ValidatingAdmissionPolicies at Scale: Enterprise-Grade K8s Policy Framework in Three Steps

Many organizations struggle to implement effective policy enforcement at scale due to the challenges of managing ValidatingAdmissionPolicies in complex enterprise environments.

Are you struggling to implement effective policy enforcement at scale, so were we! Learn how we leveraged ValidatingAdmissionPolicies to create an enterprise-grade policy framework that scales. We'll cover the three-component architecture developed to address the complexities of developing, deploying and maintaining ValidatingAdmissionPolicies:

1. Policy Generation and Testing: How we use CUE and declarative code to create and maintain policies with comprehensive test coverage, enabling security teams to focus on business logic rather than CEL syntax

2. Enterprise-Integrated Exemption Management: Our approach to policy exceptions that integrates directly with Fleet Management systems, providing a unified interface for both application configuration and security requirements

3. Pre-Deployment Compliance Validation: How we validate existing Kubernetes resources prior to deploying the policies, enabling their safe deployment in brownfield environments

Our framework addresses enterprise realities: brownfield deployments, legacy applications, urgent business needs, and the balance between security and developer velocity.

Join us to see how our comprehensive policy framework creates the foundation necessary for effective Kubernetes policy implementation in enterprise environments. Learn how our three-tiered approach for policy generation, exemption management and policy auditing transforms ValidatingAdmissionPolicies from a isolated security controls into an integrated, business-aligned policy enforcement system that delivers measurable security benefits while respecting operational realities.