Kubernetes v1.36: Admission Policies That Can't Be Deleted
Kubernetes' manifest-based admission control, introduced in v1.36, addresses security policy enforcement gaps during cluster bootstrap. Existing API-based admission control has vulnerabilities: policies are API objects and can be removed, creating a security window. This new feature allows defining admission webhooks and CEL-based policies as files loaded by the API server at startup. This ensures policies are active before any requests are served, protecting against unauthorized modifications. It uses a staticManifestsDir field in the AdmissionConfiguration file to specify a directory containing policy YAML files. These files must have names ending in .static.k8s.io to distinguish them from API-based configurations. The feature can protect the admission configurations themselves from deletion or modification. Changes to the manifest files are automatically updated at runtime. The API server enforces strict validation during startup and handles runtime updates atomically. To implement it, you'll need to enable the ManifestBasedAdmissionControlConfig feature gate.
staticManifestsDirfield in the AdmissionConfiguration file to specify a directory containing policy YAML files. These files must have names ending in.static.k8s.ioto distinguish them from API-based configurations. The feature can protect the admission configurations themselves from deletion or modification. Changes to the manifest files are automatically updated at runtime. The API server enforces strict validation during startup and handles runtime updates atomically. To implement it, you'll need to enable the ManifestBasedAdmissionControlConfig feature gate.