Skip to content

Week 20 - Admission Control: Webhooks, OPA Gatekeeper, Kyverno

20.1 Conceptual Core

  • Admission control is the apiserver's last gate: every create/update is run through configured admission webhooks before persistence.
  • Two policy-engine choices in the modern ecosystem:
  • OPA Gatekeeper-Rego-language policies; the standard for "policy as code."
  • Kyverno-YAML-native policies; lower learning curve, strong template/mutation/generate support.
  • Pod Security Admission (replacement for the deprecated PodSecurityPolicy)-built into the apiserver. Three profiles: privileged, baseline, restricted. Apply per-namespace.

20.2 Mechanical Detail

  • Validating webhooks: receive AdmissionReview, return Allowed=true/false with reasons. Cannot mutate.
  • Mutating webhooks: also return JSON Patch / strategic merge for changes. Applied before validating.
  • Failure policy (Fail vs Ignore): if the webhook is unreachable, fail closed (safer) or open (operationally simpler). Trade off carefully.
  • Gatekeeper's ConstraintTemplate (Rego) + Constraint (instance) model. Audit mode reports without enforcing-start there in any new policy rollout.
  • Kyverno's ClusterPolicy / Policy CRDs cover validate, mutate, generate, verifyImages.

20.3 Lab-"Three Policy Layers"

  1. Apply Pod Security Admission per-namespace: restricted everywhere except a priv namespace.
  2. Author 5 Gatekeeper Constraints: require resource limits, forbid latest tags, enforce non-root, label-required, namespace-must-have-team-label.
  3. Author equivalents in Kyverno. Compare expressiveness.
  4. Run in audit-mode for a week against a pre-existing cluster; triage findings before enforcing.

20.4 Hardening Drill

  • Mandate signed images via Kyverno's verifyImages with cosign keys. Combined with Sigstore policy from the Container curriculum, this closes the supply-chain gate at the cluster.

20.5 Operations Slice

  • Track admission-webhook latency. Slow webhooks slow every apply. Pod-creation latency p99 is your warning signal.

Month 5 Capstone Deliverable

A platform-and-day2/ workspace: 1. gitops-stack/ (week 17)-ArgoCD + ApplicationSet + multi-env overlays. 2. crossplane-platform/ (week 18)-XDatabase composition + claim demo. 3. hpa-custom-metrics/ (week 19)-Prom-adapter + HPA + KEDA scale-to-zero demo. 4. policy-suite/ (week 20)-Gatekeeper + Kyverno + PSA examples.

Comments