ValidatingAdmissionPolicy migration
Starting from Kubernetes v1.26, the ValidatingAdmissionPolicy provides a way to write custom admission policies in Kubernetes. The policies are written with the Common Expression Language (CEL), extended with some Kubernetes-specific extensions. ValidatingAdmissionPolicy reached stability in Kubernetes v1.30.
Kubewarden provides a CEL policy that is capable of running Kubernetes VAP policies without any modifications. You can read more about the CEL policy in this section of Kubewarden's documentation. This paragraph explains the benefits of running VAP policies using Kubewarden.
This howto explains how the kwctl
tool can be used to migrate a VAP policy to Kubewarden.
Migration steps​
You must use kwctl
version 1.14.0 or later to follow this guide.
Given a file containing this YAML definition of a ValidatingAdmissionPolicy
:
ValidatingAdmissionPolicy
definition
And a file containing the ValidatingAdmissionPolicyBinding
resource:
ValidatingAdmissionPolicyBinding
definition
You can migrate the policy to Kubewarden by following these steps:
kwctl
command for policy migration
The command produces output similar to this: