I've been reading about ValidatingAdmissionPolicy (VAP), which has recently become stable in version 1.30. I really like how it eliminates the need to deploy a controller or webhook and to manage certificates and images like we do with Kyverno or other solutions. With VAP, I can just create a policy and have it function with the Kubernetes control plane handling everything without needing any in-cluster resources. However, I'm curious about any potential drawbacks to using VAP since I noticed it's limited to CEL rules, which means it can't perform computations or verify signed images, for instance, or access third-party services for validation. What's the general opinion out there? Has anyone implemented these policies, and can they still handle things like image signing if needed later on? It seems like VAP's simplicity is a main benefit.
2 Answers
Honestly, I see VAPs as the way to go for basic validations due to their performance. They integrate directly with the kube-apiserver and are pretty reliable, whereas webhooks can sometimes fail during upgrades. I’d suggest using VAPs for most of your needs and then just implementing Kyverno for specific cases, like image signing, if those needs come up later.
I think you're on the right track with your concerns about VAP; it really shines in its simplicity. The main challenge is learning CEL for validations, but beyond that, VAPs don’t support complex validations like Kyverno does. So if you’re looking to do more than just YAML validation later on, you might run into some limits with VAP.
Thanks for the recommendation! Are there any specific scenarios where you found VAPs to really outperform Kyverno?