CEL for Admission Control

[jpbetz]

Enhancement Description

• One-line enhancement description (can be used as a release note): CEL for Admission Control

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control

• Discussion Link: https://groups.google.com/g/kubernetes-sig-api-machinery/c/WBVf_oWm4kU

• Primary contact (assignee): jpbetz

• Responsible SIGs: sig-apimachinery

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.26
  • Beta release target (x.y): 1.28
  • Stable release target (x.y):

• Alpha

  • KEP (k/enhancements) update PR(s):
    • KEP-3488: CEL Admission Control #3492
    • PRR: KEP-3488: Add PRR and test section for Cel admission control #3554
  • Code (k/k) update PR(s):
    • Implement CEL for Admission Control kubernetes#113314
    • Refactor matcher interface kubernetes#113349
    • Add metrics for CEL for admission control KEP kubernetes#112994
    • Add feature gate CelValidatingAdmission kubernetes#112792
    • split and move CEL package kubernetes#112926
    • CEL Admission Plugin kubernetes#112858
  • Docs (k/website) update PR(s):
    • Documentation for CEL in Admission Control website#37770
    • [WIP]Feature blog place holder PR for CEL in Admission Control website#37683

• Alpha2(in 1.27)

  • KEP (k/enhancements) update PR(s):
    • KEP-3488: CEL admission: Add graceful rollout, warning and audit support #3732
    • KEP-3488: Add information on expression composition #3669
    • KEP-3488: add spec for supporting custom match criteria #3697
    • KEP-3488: Add proposed design for secondary authz via CEL validation policies. #3812
    • KEP-3488: Adjust for inclusion of string.format in CEL #3736
  • Code (k/k) update PR(s):
    • OpenAPI-based CEL type library kubernetes#113312
    • refactor validatingadmissionpolicy cel validator and compiler to be reusable kubernetes#115816
    • KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy kubernetes#116054
    • Apply cost constraints to ValidatingAdmissionPolicy kubernetes#115747
    • KEP-3488: Implement Enforcement Actions and Audit Annotations kubernetes#115973
    • Apply context cancellation to ValidatingAdmissionPolicy kubernetes#116103
    • MessageExpression for ValidatingAdmissionPolicy kubernetes#116397
    • Type System for ValidatingAdmissionPolicy kubernetes#115668
    • Custom match criteria kubernetes#116350
  • Docs (k/website) update(s):
    • KEP-3488 ValidatingAdmissionPolicy post-1.27 update website#40054
    • KEP-3488 ValidatingAdmissionPolicy: MatchConditions website#40200
    • Documentation for messageExpression update to KEP-2876 website#40019
    • AdmissionWebhookMatchConditions feature documentation website#40058
    • KEP-3488 ValidatingAdmissionPolicy: Enforcement actions, audit annotations, and secondary authz website#40098

• Beta

  • KEP (k/enhancements) update PR(s): KEP-3488: promote validatingadmissionpolicy to beta #3949
  • Code (k/k) update PR(s):
    • Controlled rollout of CEL libraries and language feautres kubernetes#116779
    • Bump cel go to latest version kubernetes#118339
    • add support for authorizer to type checking. kubernetes#118540
    • ValidatingAdmissionPolicy: expended type checking to messageExpression kubernetes#119209
    • Cache authz decisions within the scope of validating policy admission. kubernetes#116443
    • ValidatingAdmissionPolicy controller for Type Checking kubernetes#117377
    • ValidatingAdmissionPolicy: Variable Composition kubernetes#118642
    • Add quantity library to CEL kubernetes#118803
    • ValidatingAdmissionPolicy: support namespace access kubernetes#118267
    • CEL lib: Expose errors on authz decisions instead of raising them from check() kubernetes#118804
    • KEP-3488: Per namespace policy params kubernetes#119215
    • KEP-3488: Promote ValidatingAdmissionPolicy to Beta kubernetes#118644
  • Docs (k/website) update(s): [WIP] Update docs around CEL for Admission Control website#42042

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[jpbetz]

/sig api-machinery

[kikisdeliveryservice]

@jpbetz please provide a Discussion Link. It is required that you "link to SIG mailing list thread, meeting, or recording where the Enhancement was discussed before KEP creation" :)

[logicalhan]

/lead-opted-in

[logicalhan]

/milestone v1.26

[logicalhan]

/lead-opted-in

[logicalhan]

/sig api-machinery

[rhockenbury]

/label tracked/yes

[parul5sahoo]

Hello @jpbetz 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage alpha for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.26
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following before enhancements freeze which is approaching soon:

• update the status of the KEP in the kep.yaml to implemetable.
• check the agreement in the test plan section and add graduation criteria for alpha phase(if need being).
• Complete and merge the PRR for the kep

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[jpbetz]

#3554 contains PRR, test, graduation and implementable, we are aiming to merge it today

[cici37]

@parul5sahoo Thanks for reaching out! We have everything merged. The KEP can be tracked now. Please let us know of anything is missing :)

[parul5sahoo]

Hello @cici37 , although I see that the release sign off checklist and the test agreement have been included but they are all unchecked. so could you please check the items that meet the criteria in the release check list and also the check the test agreement. And since these are minor details I am marking the KEP as tracked.

[cici37]

Hello @cici37 , although I see that the release sign off checklist and the test agreement have been included but they are all unchecked. so could you please check the items that meet the criteria in the release check list and also the check the test agreement. And since these are minor details I am marking the KEP as tracked.

#3592 to address this. Thanks for marking this tracked!

[cici37]

/assign

[cici37]

Hello @jpbetz 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on Thursday, 8th June 2023.

Looks like this enhancement is targeting for stage beta for v1.28

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone:v1.28
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would simply need to update the following:

• Get approval from the PRR authors.
• Get the KEP PR merged before enhancements freeze.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you :)

@Atharva-Shinde Thanks for the updates! I am working on merging the KEP updates and get PRR review before the deadline!

[cici37]

Hi @Atharva-Shinde , the KEP update for this one has been merged and we should be on track now. Thank you!

[Atharva-Shinde]

Hey @cici37
With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked. Please keep the issue description up-to-date with appropriate stages as well. Thank you :)

[Rishit-dagli]

Hello @jpbetz @cici37 👋, 1.28 Docs Lead here.

Does this enhancement work planned for 1.28 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.28 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 20th July 2023.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[Rishit-dagli]

Hey @jpbetz , could you please create a docs PR even if it is a draft PR with no content yet against dev-1.28 branch in the k/website repo. The deadline to create this draft PR is Thursday 20th July 2023.

[Atharva-Shinde]

Hey again @cici37 @jpbetz 👋

Just checking in as we approach Code freeze at 01:00 UTC Friday, 19th July 2023 .

I don't see any code (k/k) update PR(s) in the issue description so if there are any k/k related PR(s) that we should be tracking for this KEP please link them in the issue description above.

As always, we are here to help if any questions come up. Thanks!

[cici37]

Hi @Atharva-Shinde here is the placeholder doc PR: kubernetes/website#42042 Thank you!

[Atharva-Shinde]

Hey @cici37 does this enhancement have any code related pull requests open in kubernetes/kubernetes repository?

[cici37]

Hey @cici37 does this enhancement have any code related pull requests open in kubernetes/kubernetes repository?

I have updated in issue description. Thank you!

[Atharva-Shinde]

Hello @cici37 @jpbetz 👋, 1.28 Enhancements Lead here.

Unfortunately, the implementation (code related) PRs associated with this enhancement is not in the merge-ready state by code-freeze and hence this enhancement is now removed from the v1.28 milestone.
kubernetes/kubernetes#119215
kubernetes/kubernetes#119109
kubernetes/kubernetes#118819
kubernetes/kubernetes#118644

If you still wish to progress this enhancement in v1.28, please file an exception request. Thanks!

/milestone clear

[Atharva-Shinde]

Thanks for filling an exception request! I'll reapply the v1.28 milestone if the exception request is approved.

[Rishit-dagli]

Hello @cici37 @jpbetz 👋 please take a look at Documenting for a release - PR Ready for Review to get your docs PR ready for review before Tuesday 25th July 2023. Thank you!

Ref: kubernetes/website#42042

[Rishit-dagli]

@Atharva-Shinde was this exception request approved?

[cici37]

@Rishit-dagli Yes, this exception has been approved and we are on track for 1.28.

[cici37]

Update: All code was merged before the 1.28 exception deadline. Thank you so much for the support! cc @Atharva-Shinde @Rishit-dagli

[Atharva-Shinde]

Hey again @cici37 👋
As all the code related PRs of this KEP were merged by the additional time approved in the exception request, I am adding this KEP back to v1.28 milestone and changing the status of this enhancement to Tracked :)

/milestone v1.28

[npolshakova]

/remove-label lead-opted-in