{"id":22930674,"url":"https://github.com/kubewarden/cel-policy","last_synced_at":"2025-08-12T15:31:41.510Z","repository":{"id":220328367,"uuid":"750809729","full_name":"kubewarden/cel-policy","owner":"kubewarden","description":"A policy that can run CEL expressions","archived":false,"fork":false,"pushed_at":"2024-12-09T10:37:28.000Z","size":342,"stargazers_count":5,"open_issues_count":6,"forks_count":5,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-12-09T11:36:20.543Z","etag":null,"topics":["common-expression-language","kubernetes","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubewarden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-31T11:13:23.000Z","updated_at":"2024-12-09T10:37:14.000Z","dependencies_parsed_at":"2024-08-26T16:08:56.106Z","dependency_job_id":"a2292448-a78e-411d-9349-92c365900ee1","html_url":"https://github.com/kubewarden/cel-policy","commit_stats":null,"previous_names":["kubewarden/cel-policy"],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fcel-policy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fcel-policy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fcel-policy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubewarden%2Fcel-policy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubewarden","download_url":"https://codeload.github.com/kubewarden/cel-policy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229694588,"owners_count":18108931,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["common-expression-language","kubernetes","kubernetes-security","kubewarden-policy","policy-as-code","webassembly"],"created_at":"2024-12-14T10:29:16.235Z","updated_at":"2025-08-12T15:31:41.485Z","avatar_url":"https://github.com/kubewarden.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)\n[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)\n\n## CEL Policy\n\nThis policy is a meta-policy that allows to run [CEL](https://github.com/google/cel-go) expressions\nagainst Kubernetes resources.\nA meta-policy is a policy that can be configured via settings, and does not require to be recompiled to change its behavior, acting as a DSL.\n\nThe settings of the policy are compliant with the [ValidatingAdmissionPolicy Kubernetes resource](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/),\nplease refer to [writing a policy](#writing-a-policy) for more information on what fields are supported.\nUnder the hood, the policy uses [CEL](https://github.com/google/cel-go) and [Kubernetes CEL libraries](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library),\nthis allows to use the same CEL syntax and functions that are available in Kubernetes.\n\n### Writing a policy\n\nBoth `validations` and `variables` fields are supported.\nThe policy provides the following variables:\n\n- `request`: the admission request\n- `object`: the Kubernetes resource being validated\n- `oldObject`: the Kubernetes resource before the update, nil if the request is not an update\n- `namespaceObject`: the namespace of the resource being validated\n\nThe policy will be evaluated as `allowed` if all the CEL expressions are evaluated as `true`.\nIt is required that the validations expression is a boolean, otherwise the policy will not pass the settings validation phase.\n\nA `message` or a `messageExpression` can be specified to provide a custom message when the policy is evaluated as `false`.\nThe `messageExpression` will be evaluated as a CEL expression, and the result will be used as the message.\nIt is required that the message expression is a string, otherwise the policy will not pass the settings validation phase.\n\nFor more information about variables and validation expressions, please refer to the [ValidatingAdmissionPolicy Kubernetes resource](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/).\n\n### Example\n\nGiven the following `ValidatingAdmissionPolicy`:\n\n```yaml\napiVersion: admissionregistration.k8s.io/v1beta1\nkind: ValidatingAdmissionPolicy\nmetadata:\n  name: \"demo-policy.example.com\"\nspec:\n  failurePolicy: Fail\n  matchConstraints:\n    resourceRules:\n      - apiGroups: [\"apps\"]\n        apiVersions: [\"v1\"]\n        operations: [\"CREATE\", \"UPDATE\"]\n        resources: [\"deployments\"]\n  variables:\n    - name: replicas\n      expression: \"object.spec.replicas\"\n  validations:\n    - expression: \"variables.replicas \u003c= 5\"\n      message: \"The number of replicas must be less than or equal to 5\"\n```\n\nthe Kubewarden CEL policy can be written as follows:\n\n```yaml\napiVersion: policies.kubewarden.io/v1\nkind: AdmissionPolicy\nmetadata:\n  annotations:\n    io.kubewarden.policy.category: Resource validation\n    io.kubewarden.policy.severity: low\n  name: \"demo-policy.example.com\"\nspec:\n  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest\n  settings:\n    variables:\n      - name: \"replicas\"\n        expression: \"object.spec.replicas\"\n    validations:\n      - expression: \"variables.replicas \u003c= 5\"\n        message: \"The number of replicas must be less than or equal to 5\"\n  rules:\n    - apiGroups: [\"apps\"]\n      apiVersions: [\"v1\"]\n      operations: [\"CREATE\", \"UPDATE\"]\n      resources: [\"deployments\"]\n  mutating: false\n  backgroundAudit: false\n```\n\n## Host capabilities\n\nKubewarden's [host capabilities](https://docs.kubewarden.io/reference/spec/host-capabilities/intro-host-capabilities) can be accessed by CEL extension libraries available in the policy environment.\n\nThe following host capabilities are available:\n\n| Capability                                                                                          | Description                                   | Documentation                                                                                         |\n| --------------------------------------------------------------------------------------------------- | --------------------------------------------- | ----------------------------------------------------------------------------------------------------- |\n| [kubernetes](https://docs.kubewarden.io/reference/spec/host-capabilities/kubernetes)                | Access to Kubernetes resources in the cluster | [**Kubernetes**](https://pkg.go.dev/github.com/kubewarden/cel-policy/internal/cel/library#Kubernetes) |\n| [sigstore](https://docs.kubewarden.io/reference/spec/host-capabilities/signature-verifier-policies) | Sigstore (secure supply chain) support        | [**Sigstore**](https://pkg.go.dev/github.com/kubewarden/cel-policy/internal/cel/library#Sigstore)     |\n| [oci](https://docs.kubewarden.io/reference/spec/host-capabilities/container-registry)               | Interact with container registries            | [**OCI**](https://pkg.go.dev/github.com/kubewarden/cel-policy/internal/cel/library#OCI)               |\n| [crypto](https://docs.kubewarden.io/reference/spec/host-capabilities/crypto)                        | Host-side cryptographic functions             | [**Crypto**](https://pkg.go.dev/github.com/kubewarden/cel-policy/internal/cel/library#Crypto)         |\n| [net](https://docs.kubewarden.io/reference/spec/host-capabilities/net)                              | Network operations                            | [**Net**](https://pkg.go.dev/github.com/kubewarden/cel-policy/internal/cel/library#Net)               |\n\n## Extensions\n\nCEL policy has some extensions that add extra functionality to the language that are not defined in the language definition. The CEL policy has the following extensions enabled:\n\n| Extension       | Description                                  | Documentation                                                                 |\n| --------------- | -------------------------------------------- | ----------------------------------------------------------------------------- |\n| Base64 Encoders | Allows users to encode/decode base64 strings | [Encoder extension](https://pkg.go.dev/github.com/google/cel-go/ext#Encoders) |\n\n## Known limitations\n\nAt the moment the policy does not support the following Kubernetes extensions:\n\n- [authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fcel-policy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubewarden%2Fcel-policy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubewarden%2Fcel-policy/lists"}