generated from coulomb/repo-seed
43 lines
1.1 KiB
Markdown
43 lines
1.1 KiB
Markdown
# Pattern: Policy-as-Code Admission Control
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, NetKingdom
|
|
Genesis family: Kubernetes and platform
|
|
|
|
## Problem
|
|
|
|
Unsafe Kubernetes manifests can reach runtime when deployment safety
|
|
depends only on convention or manual review.
|
|
|
|
## Context
|
|
|
|
Use this pattern for CI checks, GitOps flows, admission webhooks,
|
|
namespace guardrails, image trust, pod security, and exception handling.
|
|
|
|
## Forces
|
|
|
|
- Product teams need self-service deployment.
|
|
- Platform teams need enforceable guardrails.
|
|
- Policies must be versioned, reviewable, and tested.
|
|
- Emergency exceptions need expiry and audit.
|
|
|
|
## Solution
|
|
|
|
Encode deployment rules as policy packages evaluated before workloads
|
|
run. Reject or quarantine manifests that violate baseline controls.
|
|
|
|
## Verification
|
|
|
|
- Unsafe manifests fail in CI and at admission.
|
|
- Policy packages have tests and review history.
|
|
- Exceptions carry owner, reason, risk, and expiry.
|
|
- Admission decisions are logged.
|
|
|
|
## Related Patterns
|
|
|
|
- Policy-as-Code Admission.
|
|
- Secure Cluster Baseline.
|
|
- Pod Security Baseline/Restricted.
|
|
- Signed Image Admission.
|