If you've ever wrestled with enforcing security policies across a fleet of Kubernetes clusters, you know the frustration: your admission policies are API objects that don’t spring into existence until created, and anyone with sufficient permissions can delete them. This leaves a dangerous window during cluster bootstrap and exposes your cluster to tampering. Kubernetes v1.36 introduces an alpha feature that finally locks these policies in place—manifest-based admission control. Let’s dive into the 10 things you need to understand about this game-changer.
1. The Bootstrap Gap: Why Policies Are Late to the Party
During cluster initialization, the API server starts accepting requests before any admission policies (like ValidatingAdmissionPolicies or webhook configurations) are created. This means a malicious or misconfigured pod can be launched before your deny-privileged-containers policy is active. The gap is especially pronounced when restoring from etcd backups or recovering from failures—your policies might not exist for minutes or hours. This bootstrap vulnerability is a classic chicken-and-egg problem: you need policies to protect the cluster, but they don’t exist until the cluster is already running.
2. The Self-Protection Problem: Who Guards the Guards?
Admission webhooks and policies can’t intercept operations on their own configuration resources. Kubernetes deliberately skips invoking webhooks on types like ValidatingWebhookConfiguration to avoid circular dependencies. So if a privileged user (e.g., a cluster admin or an attacker who compromises one) decides to delete your critical admission policies, there’s nothing in the admission chain to stop them. You could lose your entire security layer in seconds, with no audit trail that catches it mid-operation.
3. The Solution: Manifest-Based Admission Control
Kubernetes v1.36 introduces an alpha feature that addresses both problems head-on: manifest-based admission control. Instead of relying solely on API objects, you can now define admission policies as static files on disk. The API server loads these files at startup, before it serves any requests. This means your policies are active from the very first moment the cluster becomes operational. They’re also immune to deletion via the API—they can only be removed by physically removing the manifest files from the disk.
4. How to Configure: The staticManifestsDir Field
You enable this feature by adding a staticManifestsDir field to your AdmissionConfiguration file, which you already pass to the API server using the --admission-control-config-file flag. Point this field at a directory containing your policy YAML files. The API server reads them during startup, before it begins serving any user requests. Here’s a snippet from the configuration:
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionPolicy
configuration:
apiVersion: apiserver.config.k8s.io/v1
kind: ValidatingAdmissionPolicyConfiguration
staticManifestsDir: "/etc/kubernetes/admission/validating-policies/"5. File Naming: The .static.k8s.io Suffix
All manifest files must define API objects whose names end with .static.k8s.io (e.g., deny-privileged.static.k8s.io). This reserved suffix prevents naming collisions with API-based configurations. It also makes it easy to identify in metrics and audit logs which admission decisions came from static manifests versus dynamically created policies. The suffix acts as a built-in indicator of immutability—any object with this suffix cannot be deleted or modified through the API.
6. Example Policy: Deny Privileged Containers
Here’s a complete example that denies privileged containers outside the kube-system namespace:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "deny-privileged.static.k8s.io"
annotations:
kubernetes.io/description: "Deny launching privileged pods, anywhere this policy is applied"
spec:
...Place this file in the directory you configured, and the API server will enforce it from boot—no need to create an API object later.
7. Key Benefit: Policies That Can’t Be Deleted
Because static manifest policies are loaded from disk and not from the API, they are effectively immutable from a cluster perspective. No one—not even a cluster admin with full API access—can delete or modify them via Kubernetes commands. The only way to remove them is to delete the file from the API server’s host filesystem and restart the server. This gives you a root of trust for your security baseline: policies that are “always on, full stop.”
8. Use Cases: Where This Feature Shines
Manifest-based admission control is ideal for environments requiring a guaranteed security posture. Examples include:
- Air-gapped or regulated clusters where policies must be hard-coded and immutable.
- Managed Kubernetes services where providers need to enforce baseline policies without allowing tenants to bypass them.
- Multi-cluster fleets where consistent admission rules are deployed via configuration management tools (e.g., Helm, Kustomize).
- Disaster recovery where policies must be instantly available after cluster restore.
9. Limitations: Alpha Feature Considerations
This feature is alpha in v1.36 (enable via AdmissionPolicyStaticManifests feature gate). It currently supports only ValidatingAdmissionPolicies and webhook configurations—not MutatingAdmissionPolicies yet. The manifest files are read only at API server startup; changing a file requires a restart. Also, if the directory contains invalid YAML, the API server may fail to start. Plan to validate your manifests before deployment.
10. Looking Ahead: The Future of Immutable Policies
The SIG Architecture team is exploring ways to extend manifest-based control to mutating policies and possibly to other resource types (like CRDs). There’s also discussion about dynamic reloading without restarts, and integration with version-controlled GitOps workflows. While v1.36 marks just the first step, this feature lays the foundation for a Kubernetes where base-level security is baked into the cluster’s startup, not bolted on afterward.
Conclusion: Kubernetes v1.36’s manifest-based admission control closes a critical security gap by making your admission policies immutable and available from the instant the API server starts. No more bootstrap vulnerability, no more self-protection loophole. While still alpha, this feature promises a more robust, tamper-proof foundation for cluster governance. Start experimenting with it today to harden your Kubernetes environments from the ground up.