CEL for Admission Control

[jpbetz]

Enhancement Description

• One-line enhancement description (can be used as a release note): CEL for Admission Control

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/3488-cel-admission-control

• Discussion Link: https://groups.google.com/g/kubernetes-sig-api-machinery/c/WBVf_oWm4kU

• Primary contact (assignee): cici37

• Responsible SIGs: sig-apimachinery

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.26
  • Beta release target (x.y): 1.28
  • Stable release target (x.y): 1.30

• Alpha

  • KEP (k/enhancements) update PR(s):
    • KEP-3488: CEL Admission Control #3492
    • PRR: KEP-3488: Add PRR and test section for Cel admission control #3554
  • Code (k/k) update PR(s):
    • [KEP-3488]Implement CEL for Admission Control kubernetes#113314
    • Refactor matcher interface kubernetes#113349
    • Add metrics for CEL for admission control KEP kubernetes#112994
    • Add feature gate CelValidatingAdmission kubernetes#112792
    • split and move CEL package kubernetes#112926
    • CEL Admission Plugin kubernetes#112858
  • Docs (k/website) update PR(s):
    • Documentation for CEL in Admission Control website#37770
    • [WIP]Feature blog place holder PR for CEL in Admission Control website#37683

• Alpha2(in 1.27)

  • KEP (k/enhancements) update PR(s):
    • KEP-3488: CEL admission: Add graceful rollout, warning and audit support #3732
    • KEP-3488: Add information on expression composition #3669
    • KEP-3488: add spec for supporting custom match criteria #3697
    • KEP-3488: Add proposed design for secondary authz via CEL validation policies. #3812
    • KEP-3488: Adjust for inclusion of string.format in CEL #3736
  • Code (k/k) update PR(s):
    • OpenAPI-based CEL type library kubernetes#113312
    • refactor validatingadmissionpolicy cel validator and compiler to be reusable kubernetes#115816
    • KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy kubernetes#116054
    • Apply cost constraints to ValidatingAdmissionPolicy kubernetes#115747
    • KEP-3488: Implement Enforcement Actions and Audit Annotations kubernetes#115973
    • Apply context cancellation to ValidatingAdmissionPolicy kubernetes#116103
    • MessageExpression for ValidatingAdmissionPolicy kubernetes#116397
    • Type System for ValidatingAdmissionPolicy kubernetes#115668
    • Custom match criteria kubernetes#116350
  • Docs (k/website) update(s):
    • KEP-3488 ValidatingAdmissionPolicy post-1.27 update website#40054
    • KEP-3488 ValidatingAdmissionPolicy: MatchConditions website#40200
    • Documentation for messageExpression update to KEP-2876 website#40019
    • AdmissionWebhookMatchConditions feature documentation website#40058
    • KEP-3488 ValidatingAdmissionPolicy: Enforcement actions, audit annotations, and secondary authz website#40098

• Beta

  • KEP (k/enhancements) update PR(s): KEP-3488: promote validatingadmissionpolicy to beta #3949
  • Code (k/k) update PR(s):
    • Controlled rollout of CEL libraries and language feautres kubernetes#116779
    • Bump cel go to latest version kubernetes#118339
    • add support for authorizer to type checking. kubernetes#118540
    • ValidatingAdmissionPolicy: expended type checking to messageExpression kubernetes#119209
    • Cache authz decisions within the scope of validating policy admission. kubernetes#116443
    • ValidatingAdmissionPolicy controller for Type Checking kubernetes#117377
    • ValidatingAdmissionPolicy: Variable Composition kubernetes#118642
    • Add quantity library to CEL kubernetes#118803
    • ValidatingAdmissionPolicy: support namespace access kubernetes#118267
    • CEL lib: Expose errors on authz decisions instead of raising them from check() kubernetes#118804
    • KEP-3488: Per namespace policy params kubernetes#119215
    • KEP-3488: Promote ValidatingAdmissionPolicy to Beta kubernetes#118644
  • Docs (k/website) update(s): [WIP] Update docs around CEL for Admission Control website#42042

• Stable

  • KEP (k/enhancements) update PR(s): [KEP-3488]Promote ValidatingAdmissionPolicy to GA #4225
  • Code (k/k) update PR(s):
    • ValidatingAdmissionPolicy: exclude brink-able resources. kubernetes#123543
    • [KEP-3488]Promote ValidatingAdmissionPolicy to GA kubernetes#123405
  • Docs (k/website) update(s): [KEP-3488]Promoting ValidatingAdmissionPolicy to GA website#45249

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[jpbetz]

/sig api-machinery

[kikisdeliveryservice]

@jpbetz please provide a Discussion Link. It is required that you "link to SIG mailing list thread, meeting, or recording where the Enhancement was discussed before KEP creation" :)

[logicalhan]

/lead-opted-in

[logicalhan]

/milestone v1.26

[logicalhan]

/lead-opted-in

[logicalhan]

/sig api-machinery