Making our APIs more user friendly - Using OPA as a general webhook for CRDs
2020-03-28, 14:45–15:15, Room 1

Custom Resource Definitions (CRDs) are the future of the Kubernetes API. Not only external so-called “operators” are using CRDs, but going forward more and more “native” functionality is being built with CRDs and custom controllers, making Kubernetes more modular.

As the CRD concept is maturing SIG API machinery is adding useful features like validation, defaulting, structural schemas, etc. However, in more complex extensions with multiple CRDs and multiple controllers like for example the Cluster API, we run into validation and defaulting use cases that currently can only be modeled with validation and mutation webhooks.

This talk will discuss advanced use cases for CRD validation and defaulting. The speaker will make a point for why to use Open Policy Agent for these use cases and show the application of this reasoning in a demo.


This talk is the continuation of my lightning talk from KubeCon San Diego with further developed use cases and actual working code in a demo.

As more and more people are using CRDs and custom controllers and the systems we build with them are becoming more complex we need more sophisticated validation and defaulting.

From an API machinery standpoint, it does not make sense to build much custom functionality into the main code. However, we can extend the functionality using webhooks. For now, the projects that experience such use cases build their own validation and defaulting admission controllers.

Open Policy Agent (OPA) in comparison enables projects to write less code and rely on a common agent. By writing Rego and packaging it together with the CRD(s) and controller(s) we can have fully reusable extension packages that can run in any Kubernetes cluster. Now that OPA will be replacing PSP for security, making it a quasi-default addon, reusing that central component makes even more sense.

The examples shown in this talk are from real use cases at Giant Swarm, where we are running Kubernetes-based Multi-cluster Control Planes with 20+ CRDs and 8+ operators that work together as a complex distributed system.

The talk aims to show attendees how easy it is to use OPA/Gatekeeper for this and motivate developers to use this pattern as well as share their use cases and experiences around validating and defaulting of CRDs.