Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-policy-as-code-admission-control.md

1.1 KiB

Pattern: Policy-as-Code Admission Control

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Kubernetes and platform

Problem

Unsafe Kubernetes manifests can reach runtime when deployment safety depends only on convention or manual review.

Context

Use this pattern for CI checks, GitOps flows, admission webhooks, namespace guardrails, image trust, pod security, and exception handling.

Forces

  • Product teams need self-service deployment.
  • Platform teams need enforceable guardrails.
  • Policies must be versioned, reviewable, and tested.
  • Emergency exceptions need expiry and audit.

Solution

Encode deployment rules as policy packages evaluated before workloads run. Reject or quarantine manifests that violate baseline controls.

Verification

  • Unsafe manifests fail in CI and at admission.
  • Policy packages have tests and review history.
  • Exceptions carry owner, reason, risk, and expiry.
  • Admission decisions are logged.
  • Policy-as-Code Admission.
  • Secure Cluster Baseline.
  • Pod Security Baseline/Restricted.
  • Signed Image Admission.