Dynamic admission controllers have long played a pivotal role in enhancing the robustness and adaptability of clusters. For instance, ValidatingWebhookConfiguration empowers users to implement finely-tuned access controls beyond the capabilities of RBAC and MutatingWebhookConfiguration provides advanced defaulting logic for all resource. However, this often comes at a price – the ease with which they can be misconfigured, potentially leading to cluster disruption and downtime.

Historically, we’ve accepted this fragility as an inevitable trade-off for greater control over our clusters. But that ends now!

Enter CEL-based, in-process Admission Policies!

In this talk we’ll look at what makes ValidatingAdmissionPolicies and MutatingAdmissionPolicies a safer choice, we will dive into the features & limitations and draw comparisons with their webhook-based alternatives, highlighting problems they solve. Finally, we’ll walkthrough how you can leveraging them today and look at the future.