Policy-driven Kubernetes admission control
Use Cerbos policies to govern what gets deployed to your Kubernetes clusters — validating and mutating admission requests with the same policy engine that secures your application.
Native Kubernetes support
Cerbos speaks Kubernetes's native protocol, no custom glue code required
Unified policies
The same CEL-based policies that govern your application layer extend to your infrastructure
Defense in depth
Authorization at every layer of your stack, managed from a single control plane
How Cerbos works with Kubernetes Admission Control
Kubernetes Admission Control provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.
Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Kubernetes Admission Control, enforced consistently everywhere.
A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.
Unified policy enforcement for your Kubernetes clusters
Kubernetes admission controllers are the gatekeepers of your cluster, every resource creation, modification, and deletion passes through them. Using Cerbos as your admission controller means the same policy engine that governs application-level authorization also governs what runs in your cluster.
How it works
- A user or CI pipeline submits a resource (Deployment, Pod, Service, etc.) to the Kubernetes API server.
- Kubernetes forwards the admission review to Cerbos via the validating webhook.
- Cerbos evaluates your policies against the resource spec, checking labels, images, security contexts, resource limits, namespaces, and any custom attributes.
- Kubernetes enforces the decision, admitting or rejecting the resource with a policy-defined message.
Example policies
- Require all Deployments to carry
teamandenvironmentlabels - Restrict container images to approved registries
- Enforce resource requests and limits on all pods
- Prevent privileged containers outside of
kube-system - Require specific annotations for ingress resources
One policy engine, every layer
With Cerbos managing both application authorization and cluster admission, your security team gets a single pane of glass for policy authorship, testing, and audit. Policies are versioned in Git, tested in CI, and deployed consistently across your entire infrastructure.
Get started
Cerbos Kubernetes admission control is available as part of Cerbos enterprise. Talk to us to learn more about governing your clusters with Cerbos policies.
FAQ
How does Cerbos work as a Kubernetes admission controller?
Cerbos registers as a ValidatingWebhookConfiguration in your cluster. When resources are created, updated, or deleted, the Kubernetes API server sends admission review requests to Cerbos, which evaluates them against your policies and returns admit or deny decisions.
What kinds of admission rules can I enforce?
Any rule you can express in a Cerbos policy, require specific labels on deployments, restrict container images to approved registries, enforce resource limits, prevent privileged containers, require security contexts, and more. Cerbos CEL conditions give you full access to the admission request object.
How is this different from existing admission controllers like Kyverno or Gatekeeper?
Cerbos provides a unified policy engine across your entire stack. Rather than maintaining separate policy languages for your application and your cluster, you use one policy framework for both. This simplifies governance and reduces the operational burden of managing multiple policy systems.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Kubernetes Admission Control
- Kubernetes Admission Control delegates authorization to Cerbos via native integration
- One set of policies enforced across the entire stack
- Unified audit trail for all authorization decisions
- Policies managed without code changes or redeployments
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.