Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-policy-as-code-admission-control.md

43 lines
1.1 KiB
Markdown

# Pattern: Policy-as-Code Admission Control
Status: seed
Readiness target: RL3 production
Primary owners: Railiance platform, NetKingdom
Genesis family: Kubernetes and platform
## Problem
Unsafe Kubernetes manifests can reach runtime when deployment safety
depends only on convention or manual review.
## Context
Use this pattern for CI checks, GitOps flows, admission webhooks,
namespace guardrails, image trust, pod security, and exception handling.
## Forces
- Product teams need self-service deployment.
- Platform teams need enforceable guardrails.
- Policies must be versioned, reviewable, and tested.
- Emergency exceptions need expiry and audit.
## Solution
Encode deployment rules as policy packages evaluated before workloads
run. Reject or quarantine manifests that violate baseline controls.
## Verification
- Unsafe manifests fail in CI and at admission.
- Policy packages have tests and review history.
- Exceptions carry owner, reason, risk, and expiry.
- Admission decisions are logged.
## Related Patterns
- Policy-as-Code Admission.
- Secure Cluster Baseline.
- Pod Security Baseline/Restricted.
- Signed Image Admission.