Add blog about CEL admission control library

[craigbox]

This blog post introduces a library of Validating Admission Policies built by converting Kubescape controls from Rego to CEL.

[craigbox]

/assign sftim

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	934feaa
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/64238584ee9c1400084822a4
😎 Deploy Preview	https://deploy-preview-40174--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[craigbox]

/unassign sftim

[sftim]

Hi @craigbox

I'm short on capacity to help with optional work - this article included. If you can pick a new future date and find a SIG API Machinery tech reviewer, we / I should be able to do the actual approve.

We'd like the publication date to be in the future at the date we merge. Try the 5th of April?

[jpbetz]

/lgtm
For technical content. Thanks for the feature feedback and blog post @craigbox!

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 883ec0ef1bf4e52e76357a0cdd2855f36e8373d7

[craigbox]

@sftim / @nate-double-u / @onlydole - when you're ready, please lmk if we can bring the publication date forward, I took a week in the future as suggestion

[sftim]

Thanks!

Enough nits here that I'd welcome a follow-up PR, that we merge in before the publication date.
We can publish this as is; it's nice to leave a more maintainable article in the repo if we can.

/approve
/lgtm

[sftim]

Suggested change

[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. [Its controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent.

[Kubescape](https://github.com/kubescape/kubescape) is a CNCF project which has become one of the most popular ways for users to improve the security posture of a Kubernetes cluster and validate its compliance. Its [controls](https://github.com/kubescape/regolibrary) — groups of tests against API objects — are built in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the policy language of Open Policy Agent.

[sftim]

nit: better to link to a commit and not master (more link a permalink)

[sftim]

Suggested change

	It did not take us long to convert many of our controls and build [a library of validating admission policies.](https://github.com/kubescape/cel-admission-library) Let’s look at one as an example.
	It did not take us long to convert many of our controls and build a [library of validating admission policies](https://github.com/kubescape/cel-admission-library). Let’s look at one as an example.

[sftim]

Suggested change

[Kubescape’s control C-0017](https://hub.armosec.io/docs/c-0017) covers the requirement for containers to have an immutable (read-only) root filesystem. This is a best practice according to the [NSA Kubernetes hardening guidelines](https://kubernetes.io/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#immutable-container-filesystems), but is not currently required as a part of any of the [pod security standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/).

Kubescape’s [control C-0017](https://hub.armosec.io/docs/c-0017) covers the requirement for containers to have an immutable (read-only) root filesystem. This is a best practice according to the [NSA Kubernetes hardening guidelines](/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#immutable-container-filesystems), but is not currently required as a part of any of the [pod security standards](/docs/concepts/security/pod-security-standards/).

[sftim]

nit: can we use a stable link that will work even after these are updated to work with v1.27?

[craigbox]

I don't expect them to change, but I'm happy to update the blog post in future if needed to fix.

[sftim]

We're planning a release next month, that won't work with those manifests.

[craigbox]

I knew there were some changes in this API in 1.27, but I didn't see that any were breaking?
Do you know why these manifests won't work with 1.27?

[sftim]

New API version, IIRC (v1alpha2).

[slashben]

I will update the repository to support v1alpha2. What is the ETA of this blog?

[jiahuif]

The only version remained v1alpha1 in 1.27 because there was no breaking change. See https://github.com/kubernetes/api/blob/v0.27.0-rc.0/admissionregistration/v1alpha1/types.go

[sftim]

Sorry, got my KEPs mixed up.

[sftim]

Please wrap lines at around 100 characters. That wrapping helps localization teams.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/blog/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment