Marcus is a platform engineer at Monzo, a UK bank dedicated to making money work for everyone, a Civo Ambassador and a CNCF Ambassador. His main area of focus in recent years has been around Go, Kubernetes, containers and DevOps but originally started out as a web developer and JavaScript enthusiast. A self-described “tinkerer”, when not building Kubernetes solutions, Marcus likes to dabble with 3D printing and experimenting with smart home tech.
Dynamic admission controllers have long played a pivotal role in enhancing the robustness and adaptability of clusters. For instance, ValidatingWebhookConfiguration empowers users to implement intricate and finely-tuned access controls beyond the capabilities of RBAC and MutatingWebhookConfiguration provides advanced defaulting logic for all resource types. However, this capability often comes at a price – the ease with which they can be misconfigured, potentially leading to cluster disruption and downtime.
Historically, we’ve accepted this fragility as an inevitable trade-off for greater control over our clusters. But that stops now!
Enter CEL-based, in-process Admission Policies!
In this talk we’ll take a look at what makes ValidatingAdmissionPolicies and MutatingAdmissionPolicies a safer choice for your admission logic, we will dive into the features and limitations and will also draw comparisons with their webhook-based alternatives, highlighting the problems they solve. Finally, we’ll walkthrough how you can begin leveraging them today and take a look at what might be coming in the future.
