The Path to Self Contained CRDs

The presentation discusses the use of Common Expression Language (CEL) in Kubernetes to simplify validation and policy enforcement for Custom Resource Definitions (CRDs) and other use cases.

• CRDs and other use cases require validation and policy enforcement that cannot be supported by structural schema and OpenAPI V3 validation
• Webhooks have been the only solution for these use cases, but they are difficult to configure and can cause controlling outages
• Common Expression Language (CEL) is a simpler solution that has been successfully integrated with Kubernetes data system for both CRD and native types
• CEL comes with a standard library and an extended library, and it is easy to extend and embed
• CEL can be used for validation, policy enforcement, and authorization checks
• The presentation offers examples of CEL code and use cases, and it mentions future plans for mutating admission policy and client-side validation 2

The presenter mentions that the use of webhooks for validation and policy enforcement has caused a lot of pain and controlling outages, and that CEL offers a simpler and more efficient solution. The presenter also mentions that CEL has been adopted by other policy engines and has received positive feedback from maintainers and users.

CRDs are great! Until they're not. Need an advanced validation rule? You're going to need an admission webhook for that. Oh, and if you want to do multi-version CRDs, good luck, there's another special type of webhook just for that! Once you start using webhooks, your CRD must be bundled with a binary containing all the webhooks plus webhook configuration resources to activate the webhooks. Things get complicated fast. What if we could make all that go away? Imagine if somehow this could all be done declaratively in a single, self contained CRD? Using the CEL expression language in Kubernetes, we added advanced CRD validation rules (Beta in Kubernetes 1.25) and have plans for additional enhancements. Learn about the future of CRDs from a sig-api machinery contributor who helped introduce CEL to Kubernetes. Can CRDs really be made entirely self-contained? What does this mean for extension authors or cluster administrators? Is CEL sufficiently powerful to eliminate the need for webhooks? What features are available now and when are the rest planned?