Kubernetes v1.36: 7 Essential Insights Into Manifest-Based Admission Control

1. The Admission Policy Bootstrap Dilemma

Rolling out security policies across multiple Kubernetes clusters often hits a frustrating snag. Admission policies, being API objects, only exist after creation—leaving a gap during cluster bootstrap. Before the first policy is applied, workloads can sneak in without validation. Worse, anyone with sufficient permissions can delete these policies post-creation, leaving clusters unprotected. This classic chicken-and-egg problem has long plagued cluster operators.

2. Why Bootstrap Windows Are Risky

When a cluster starts, the API server begins serving requests immediately, but admission policies aren't active until someone creates them. This vulnerability window is especially dangerous during disaster recovery from an etcd failure or when restoring from backup. Policies that block insecure container images, enforce network restrictions, or require encrypted volumes are simply absent. Even temporary exposure can allow malicious workloads to deploy before guardrails are reestablished.

3. The Self-Protection Blind Spot

Admission webhooks and validation policies cannot intercept operations on their own configuration resources. Kubernetes deliberately skips invoking webhooks on types like ValidatingWebhookConfiguration to avoid circular dependencies. This design means a privileged user can delete critical admission policies without triggering any admission checks. There's no built-in way to lock them down—until now.

4. Manifest-Based Admission Control: The Game Changer

Kubernetes v1.36 introduces an alpha feature that sidesteps these limitations: manifest-based admission control. Instead of relying solely on API-created objects, you can define webhooks and CEL-based policies as YAML files stored on disk. The API server loads these static manifests at startup, before serving any requests. This ensures policies are active from the first moment the cluster becomes operational, and they cannot be deleted via the API.

5. How to Configure Static Policies

Setting up static admission manifests requires only a few steps. Add a staticManifestsDir field to the AdmissionConfiguration file—the same one you pass to the API server via --admission-control-config-file. Point this field to a directory containing your policy YAMLs. A simple configuration looks like:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionPolicy
  configuration:
    apiVersion: apiserver.config.k8s.io/v1
    kind: ValidatingAdmissionPolicyConfiguration
    staticManifestsDir: "/etc/kubernetes/admission/validating-policies/"

The API server automatically loads all valid policy YAMLs from that directory before accepting any user requests.

6. The Reserved Naming Suffix: .static.k8s.io

To prevent collisions with API-created policies and ensure clear identification, all static manifest objects must have names ending in .static.k8s.io. This reserved suffix makes it trivial to trace admission decisions back to their source in audit logs and metrics. It also eliminates confusion when both static and dynamic policies exist.

7. A Practical Example: Denying Privileged Pods Outside kube-system

Consider a policy that denies privileged pods in namespaces other than kube-system. The static manifest YAML for this looks like:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "deny-privileged.static.k8s.io"
  annotations:
    kubernetes.io/description: "Deny launching privileged pods, anywhere this policy is applied"

This policy, once placed in the configured directory, becomes immutable from the API. No one—not even cluster admins—can delete it through kubectl or the dashboard. It remains active as long as the API server runs, closing both the bootstrap and self-protection gaps.

In summary, manifest-based admission control in Kubernetes v1.36 finally gives operators a reliable way to enforce critical policies that cannot be circumvented. By loading policies from disk at startup, the feature eliminates the bootstrap vulnerability and prevents privileged users from deleting essential guardrails. As this alpha feature matures, it promises to become the standard for securing production clusters.