From 334ea620bdc9c35acec4ecde34326b742b429885 Mon Sep 17 00:00:00 2001 From: Brad McCoy Date: Mon, 7 Aug 2023 12:19:36 +1000 Subject: [PATCH] Update content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md Co-authored-by: Tim Bannister --- content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md b/content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md index 015518be82..dd9440ddbf 100644 --- a/content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md +++ b/content/en/blog/_posts/2023-08-04-kubernetes-1.28-blog.md @@ -45,9 +45,12 @@ This will lower the infrastructure barrier to enforcing customizable policies as ## Match conditions for admission webhooks -Introduce CEL expression filters to webhooks, to allow webhooks to be scoped more narrowly. +Kubernetes v1.27 lets you specify _match conditions_ for admission webhooks, +which lets you narrow the scope of when Kubernetes makes a remote HTTP call at admission time. +The `matchCondition` field for ValidatingWebhookConfiguration and MutatingWebhookConfiguration +is a CEL expression that must evaluate to true for the admission request to be sent to the webhook. -This adds "match conditions" to admission webhooks, as an extension to the existing rules to define the scope of a webhook. A matchCondition is a CEL expression that must evaluate to true for the admission request to be sent to the webhook. If a matchCondition evaluates to false, the webhook is skipped for that request (implicitly allowed). +In Kubernetes v1.28, that field moved to beta, and it's enabled by default. ValidatingAdmissionPolicy is an exciting new feature that we hope will greatly reduce the need for admission webhooks, but it is intentionally not attempting to cover every possible use case. This proposal aims to improve the situation for those webhooks that cannot be migrated.