CEL for Admission Control

[jpbetz]

Enhancement Description

• One-line enhancement description (can be used as a release note): CEL for Admission Control

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control

• Discussion Link: https://groups.google.com/g/kubernetes-sig-api-machinery/c/WBVf_oWm4kU

• Primary contact (assignee): cici37

• Responsible SIGs: sig-apimachinery

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.26
  • Beta release target (x.y): 1.28
  • Stable release target (x.y): 1.30

• [x] Alpha

  • [x] KEP (k/enhancements) update PR(s):
    • https://github.com/kubernetes/enhancements/pull/3492
    • PRR: https://github.com/kubernetes/enhancements/pull/3554
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/113314
    • https://github.com/kubernetes/kubernetes/pull/113349
    • https://github.com/kubernetes/kubernetes/pull/112994
    • https://github.com/kubernetes/kubernetes/pull/112792
    • https://github.com/kubernetes/kubernetes/pull/112926
    • https://github.com/kubernetes/kubernetes/pull/112858
  • [x] Docs (k/website) update PR(s):
    • https://github.com/kubernetes/website/pull/37770
    • https://github.com/kubernetes/website/pull/37683

• [x] Alpha2(in 1.27)

  • [x] KEP (k/enhancements) update PR(s):
    • https://github.com/kubernetes/enhancements/pull/3732
    • https://github.com/kubernetes/enhancements/pull/3669
    • https://github.com/kubernetes/enhancements/pull/3697
    • https://github.com/kubernetes/enhancements/pull/3812
    • https://github.com/kubernetes/enhancements/pull/3736
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/113312
    • https://github.com/kubernetes/kubernetes/pull/115816
    • https://github.com/kubernetes/kubernetes/pull/116054
    • https://github.com/kubernetes/kubernetes/pull/115747
    • https://github.com/kubernetes/kubernetes/pull/115973
    • https://github.com/kubernetes/kubernetes/pull/116103
    • https://github.com/kubernetes/kubernetes/pull/116397
    • https://github.com/kubernetes/kubernetes/pull/115668
    • https://github.com/kubernetes/kubernetes/pull/116350
  • [x] Docs (k/website) update(s):
    • https://github.com/kubernetes/website/pull/40054
    • https://github.com/kubernetes/website/pull/40200
    • https://github.com/kubernetes/website/pull/40019
    • https://github.com/kubernetes/website/pull/40058
    • https://github.com/kubernetes/website/pull/40098

• [x] Beta

  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/3949
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/116779
    • https://github.com/kubernetes/kubernetes/pull/118339
    • https://github.com/kubernetes/kubernetes/pull/118540
    • https://github.com/kubernetes/kubernetes/pull/119209
    • https://github.com/kubernetes/kubernetes/pull/116443
    • https://github.com/kubernetes/kubernetes/pull/117377
    • https://github.com/kubernetes/kubernetes/pull/118642
    • https://github.com/kubernetes/kubernetes/pull/118803
    • https://github.com/kubernetes/kubernetes/pull/118267
    • https://github.com/kubernetes/kubernetes/pull/118804
    • https://github.com/kubernetes/kubernetes/pull/119215
    • https://github.com/kubernetes/kubernetes/pull/118644
  • [x] Docs (k/website) update(s): https://github.com/kubernetes/website/pull/42042

• [x] Stable

  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/4225
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/123543
    • https://github.com/kubernetes/kubernetes/pull/123405
  • [x] Docs (k/website) update(s): https://github.com/kubernetes/website/pull/45249

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[jpbetz]

/sig api-machinery

[kikisdeliveryservice]

@jpbetz please provide a Discussion Link. It is required that you "link to SIG mailing list thread, meeting, or recording where the Enhancement was discussed before KEP creation" :)

[logicalhan]

/lead-opted-in

[logicalhan]

/milestone v1.26

[logicalhan]

/lead-opted-in

[logicalhan]

/sig api-machinery

[rhockenbury]

/label tracked/yes

[parul5sahoo]

Hello @jpbetz 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage alpha for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• [x] KEP readme using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable for latest-milestone: 1.26
• [ ] KEP readme has a updated detailed test plan section filled out
• [ ] KEP readme has up to date graduation criteria
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following before enhancements freeze which is approaching soon:

• update the status of the KEP in the kep.yaml to implemetable.
• check the agreement in the test plan section and add graduation criteria for alpha phase(if need being).
• Complete and merge the PRR for the kep

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[jpbetz]

https://github.com/kubernetes/enhancements/pull/3554 contains PRR, test, graduation and implementable, we are aiming to merge it today

[cici37]

@parul5sahoo Thanks for reaching out! We have everything merged. The KEP can be tracked now. Please let us know of anything is missing :)

[parul5sahoo]

Hello @cici37 , although I see that the release sign off checklist and the test agreement have been included but they are all unchecked. so could you please check the items that meet the criteria in the release check list and also the check the test agreement. And since these are minor details I am marking the KEP as tracked.

[cici37]

Hello @cici37 , although I see that the release sign off checklist and the test agreement have been included but they are all unchecked. so could you please check the items that meet the criteria in the release check list and also the check the test agreement. And since these are minor details I am marking the KEP as tracked.

https://github.com/kubernetes/enhancements/pull/3592 to address this. Thanks for marking this tracked!

[cici37]

/assign

[katmutua]

Hello @jpbetz ! 👋🏾,

@katmutua 1.26 Release Docs shadow here. This enhancement is marked as ‘Needs Docs’ for 1.26 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.26 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by November 9.

Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release. As a reminder, please link all of your docs PR to this issue so we can easily track it.

[ruheenaansari34]

Hi @jpbetz 👋,

Checking in once more as we approach the 1.26 code freeze at 17:00 PDT on Tuesday 8th November 2022.

Please ensure the following items are completed:

• [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• [x] All PRs are fully merged by the code freeze deadline.

For this enhancement, it looks like the following PRs are open and need to be merged before the code freeze. If you do have any other k/k PRs open, please link them to this issue :

• https://github.com/kubernetes/kubernetes/pull/113314
• https://github.com/kubernetes/kubernetes/pull/112883

As always, we are here to help should questions come up. Thanks!

[jpbetz]

All PRs are now linked and we are working on code review and approvals. We will open a docs PR shortly.

[cici37]

I have opened the doc place holder PR. Thanks

[jpbetz]

All alpha feature code has merged.

[marosset]

/remove-label lead-opted-in /remove-label tracked/yes /label tracked/no /milestone clear

[sftim]

I had an idea: also provide a mechanism to accept a proposed change at admission time, but warn about a breach.

[sftim]

Something like:

---
apiVersion: admissionregistration.k8s.io/v1foo42
kind: ValidatingAdmissionPolicy
metadata:
  name: demo
spec:
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  warnUnless:
    - expression: |-
        object.spec.replicas < 5
      message: >-
        You can only have five replicas maximum
  failUnless:
    - expression: |-
        object.spec.replicas <= 5

[jpbetz]

I had an idea: also provide a mechanism to accept a proposed change at admission time, but warn about a breach.

I think we need this. The idea is partially captured in the not-yet-implemented "Enforcement Actions" proposal in the KEP.

How are you imagining warnings to work @sftim? Existing admission webhooks support warnings in the form of additional information sent back to the client for all requests that go through admission (accepted or denied). Would that be sufficient or were you imaging something else?

[sftim]

A client should see a warning that looks identical to the the admission webhook approach outlined in https://kubernetes.io/blog/2020/09/03/warnings/ (except maybe lower response latency). That is exactly what I had in mind.

Not sure what the audit logging option would look like; someone else might be able to devise that.

[sftim]

:thought_balloon: If anyone had the cycles we could even implement ValidatingAdmissionPolicy as an out-of-tree validating admission webhook. I don't think it's worth it, but it'd be possible.

[tallclair]

This has planned changes for v1.27, but it's remaining in alpha. Should it be tracked for the v1.27 milestone?

[logicalhan]

Is there a beta version of this KEP I can review for PRR?

[jpbetz]

Is there a beta version of this KEP I can review for PRR?

We don't have a ETA for beta yet. 1.27 will contain additional alpha level capabilities.

[fsmunoz]

Hello @jpbetz 👋, v1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands:

• [X] KEP readme using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable for latest-milestone: 1.27
• [X] KEP readme has a updated detailed test plan section filled out
• [X] KEP readme has up to date graduation criteria
• [X] KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Please update the latest-milestone and alpha target in the kep.yaml

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[jpbetz]

Opened https://github.com/kubernetes/enhancements/pull/3833 to update latest-milestone.

[fsmunoz]

Hello @jpbetz , that should do it when merged!

One note: the latest KEP template has an additional section in the PRR section "Scalability"

Can enabling / using this feature result in resource exhaustion of some node resources (PIDs, sockets, inodes, etc.)?

That section in encouraged (not mandatory) for alpha, so I wasn't strict about it in mt review. That said, you might want to take a look.