Kubernetes 1.36 Debuts Immutable Admission Policies: No More Deletion by Privileged Users

By

Kubernetes 1.36 Debuts Immutable Admission Policies: No More Deletion by Privileged Users

Kubernetes v1.36 introduces a ground-breaking alpha feature that ends the long-standing vulnerability of admission policies being deleted or bypassed during cluster bootstrap. The new manifest-based admission control loads policies directly from disk before the API server starts serving requests, making them effectively immutable and always active.

"This closes a gap we've been trying to fix for years," said a Kubernetes SIG API Machinery spokesperson. "These policies are always on, full stop."

The Gap We’re Closing

Traditional Kubernetes policy enforcement relies on creating API objects like ValidatingAdmissionPolicy or webhook configurations. This works in steady state but leaves a window of vulnerability during cluster bootstrap or recovery from backup, when policies are not yet created.

Moreover, admission controllers cannot intercept operations on their own configuration resources — a problem known as self-protection. A user with sufficient permissions can delete critical admission policies without any check, because Kubernetes skips webhook invocation for types like ValidatingWebhookConfiguration to avoid circular dependencies.

"We needed a way to say, 'these policies are always on, full stop,'" the spokesperson added.

How It Works

To use the feature, administrators add a staticManifestsDir field to the AdmissionConfiguration file passed to the API server via --admission-control-config-file. Point it at a directory containing YAML files of standard Kubernetes policy resources.

The only requirement is that all objects in these manifests have names ending in .static.k8s.io. This reserved suffix prevents collisions with API-based configurations and makes it easy to trace admission decisions in logs and metrics.

Here is a complete example that denies privileged containers outside kube-system:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionPolicy
  configuration:
    apiVersion: apiserver.config.k8s.io/v1
    kind: ValidatingAdmissionPolicyConfiguration
    staticManifestsDir: "/etc/kubernetes/admission/validating-policies/"

And the corresponding policy manifest:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "deny-privileged.static.k8s.io"
  annotations:
    kubernetes.io/description: "Deny launching privileged pods, anywhere this policy is applied"

Background

Kubernetes admission policies have always been API objects — created, updated, and deleted like any other resource. This design created a fundamental chicken-and-egg problem: policies don't exist until someone creates them, and they can be removed by anyone with the right permissions.

During cluster bootstrap or etcd recovery, there was always a window where no policies were active. And even in steady state, a privileged user could delete the very policies that were supposed to guard the cluster.

This is the second major effort by SIG API Machinery to harden admission control. The first was ValidatingAdmissionPolicy, which allowed CEL-based policies without webhooks. Now, with manifest-based admission control, those policies can be made truly persistent.

What This Means

For security teams, this feature represents a foundational shift. Clusters can now enforce critical policies from the moment the API server starts, with no window of vulnerability. The policies cannot be deleted, even by cluster admins, because they are not API objects.

It also simplifies backup and recovery scenarios. Restoring a cluster from etcd backup no longer leaves a gap in policy enforcement. The static manifests are loaded from disk, independent of API availability.

However, because this is an alpha feature, it is not yet recommended for production use. Operators should test it in development environments and provide feedback to the Kubernetes community. The feature gate is AdmissionPolicyFileBased and must be explicitly enabled.

"We expect this to become a best practice for all serious deployments," the spokesperson concluded. "Once it graduates to stable, it will be the default way to enforce admission policies."

For more details, see the official Kubernetes changelog for v1.36 and the KEP.

Related Articles

• Designers Ditch Adobe and Figma: Claude Design Sparks Industry Shift
• Automating Intellectual Toil: Agent-Driven Development at Copilot Applied Science
• How to Build a .NET AI Orchestration Library: A Step-by-Step Guide
• Kubernetes v1.36 Breaks Cycle of Policy Insecurity with Startup-Only Admission Controls
• From COM to Stack Overflow: The Unchanging Pace and Sudden Shifts in Programming
• Operationalizing AI-Assisted Programming: A Step-by-Step Guide to Reducing Friction Using Lattice
• Understanding Inheritance in Java: A Complete Guide
• NVIDIA's Nemotron 3 Nano Omni Model Unifies Multimodal AI with 9x Efficiency Leap