In the world of Kubernetes, dynamic admission controllers have long played a pivotal role in enhancing the robustness and adaptability of clusters. For instance, ValidatingWebhookConfiguration empowers users to implement intricate and finely-tuned access controls beyond the capabilities of RBAC and MutatingWebhookConfiguration provides advanced defaulting logic for all resource types. However, this capability often comes at a price – the ease with which they can be misconfigured, potentially leading to cluster disruption and downtime.

Historically, we’ve accepted this fragility as an inevitable trade-off for greater control over our clusters. But what if we could change that narrative?

Enter CEL-based Admission Policies!

In this talk we’ll take a look at what makes ValidatingAdmissionPolicies and MutatingAdmissionPolicies a safer choice for your admission logic and what problems they aim to solve.

We will dive into the features and limitations and will also draw comparisons with their webhook-based alternatives, highlighting the problems they solve. Finally, we’ll walkthrough how you can begin leveraging them today and take a look at what might be coming in the future.