Kubernetes Highlights for the Crossplane Community: K8s 1.29

Kubernetes 1.29 was recently released and we’re highlighting a few key updates important for the Crossplane community.

After all, Crossplane extends the power of Kubernetes for any engineer to manage anything. Crossplane enables you to build control planes that manage all your infrastructure using familiar Kubernetes constructs.

The first highlight to call out for Crossplane users is CRD Validation Expression Language moving to general availability in 1.29. This enhancement of Kubernetes allows the majority of the validation use cases that previously were handled by a webhook, to instead be handled by adding inline validation expressions using the Common Expression Language (CEL) directly into the schema of a CRD. Introduced originally in 2021, SIG-API-Machinery has been working to make this change and stabilize this capability over the past two years.

For example, you can use CEL via x-kubernetes-validations to set a diskSize field in a Composite Resource Definition (XRD) that can only remain the same or increase:

         properties:
           diskSize:
             type: integer
             x-kubernetes-validations:
             - rule: self >= oldSelf

This feature has already been used by Upjet-based Crossplane providers. It conditionally enforces the top-level non-identifier required fields of managed resources when the chosen management policy allows modifications to the external resource. And, it is used in core Crossplane’s ordered deletion. Its move to general availability formalizes the feature as stable for all to rely on.

Another recent highlight is the validating admission policy, in beta as of Kubernetes 1.28, which heavily relies on Common Expression Language (CEL). This is important since it is built into the Kubernetes API, platform engineers no longer need to deploy and maintain a separate validating webhook with TLS certificates in order to enforce policies. For Crossplane users, this allows engineers to set policies like the maximum size of databases or limit the number of nodes in a Kubernetes cluster. Validating Admission Policies can be bound to Namespace selectors like labels, allowing platform operators to fine-tune how policies are applied.

Finally, Validating Admission Policies supports various actions, including Denying requests and creating an Audit event for failed requests.

You can read about more general details of the latest release in the Kubernetes blog:

Thanks to Alper Rifat Ulucinar (https://github.com/ulucinar) and Stefano (Steven) Borrelli (https://github.com/stevendborrelli), who contributed to this post.