Skip to main content
Version: 8.0.0 (latest)

Validating Admission Policy

Kasten introduces support for Kubernetes ValidatingAdmissionPolicies (VAP) to deliver more robust user permission controls and secure data operations across clusters. This new feature helps minimize administrative overhead, empowers namespace and application owners, and maintains strict compliance with organizational standards. The result is a more secure, flexible, and efficient workflow that aligns with modern Kubernetes best practices. For more details, visit the Kubernetes VAP documentation.

By implementing VAP, Kasten enables namespace owners and application-scoped users to securely manage critical workflows such as disaster recovery (DR), development/testing, and general data migrations. VAPs are configurable using the Helm values under the vap section of the Kasten Helm Chart.

Validating admission policies use Common Expression Language (CEL) to declare the validation rules of a policy.

Common Expression Language (CEL)

The spec.validations[i].expression in the VAP represents the expression that will be evaluated by CEL. For more details on CEL syntax, refer to the Kubernetes documentation on Validation Expressions.

Prerequisites and Restrictions

Kubernetes 1.31

Full GA support for VAP without additional configuration.

Kasten VAPs

warning

It is not recommended to modify the existing CEL rules in the VAPs installed by Kasten. Modifying the rules will change the security posture of Kasten.

Kasten Policy Permissions VAP

The kasten.policy.permissions VAP evaluates permissions for a non-admin user while creating a Kasten policy. This prevents unauthorized access to sensitive resources and maintains a high level of security compliance across all Kasten-driven data operations.

The kasten.policy.permissions.binding VAP binding narrows the scope of the VAP to non-admin users who are creating policies outside of the kasten-io namespace.

To enable installation of the VAP and VAP binding, set the vap.kastenPolicyPermissions.enabled value in the Kasten Helm chart to true.

The VAP ensures that the following requirements are maintained for any policy created by such a user:

  1. The user has access to every Kasten resource (e.g. blueprints, location profiles, transform sets, etc) referenced in any policy.
  2. The policy has no in-line transforms.
  3. The Import and Restore policy restores only to the application namespace where it is run.
  4. The Import and Restore policy does not set the flag to restore cluster resources.

For more information on Import and Restore application-scoped policies created by non-admin users, refer to the Imports section under Application-Scoped Policies.

To view the complete set of the CELs in the VAP and the referenced resources which they protect, admin users can run the following command: 

kubectl describe validatingadmissionpolicy kasten.policy.permissions

Similarly, to view the logic for the VAP binding, run the following command:

kubectl describe validatingadmissionpolicybinding kasten.policy.permissions.binding