Kubernetes v1.36 Breaks Cycle of Policy Insecurity with Startup-Only Admission Controls

Kubernetes v1.36 Introduces Manifest-Based Admission Control to Eliminate Bootstrap Gaps and Protect Critical Policies

Urgent: The long-standing vulnerability of Kubernetes admission policies—where they can be deleted or delayed during cluster startup—has been addressed in v1.36 with an alpha feature that loads policies from disk before any API requests are served.

Kubernetes SIG API Machinery announced today that version 1.36 includes a new manifest-based admission control mechanism, allowing operators to define admission webhooks and CEL-based policies as static files on disk. These policies are loaded by the API server at startup, effectively closing a critical security window that has plagued cluster administrators.

“We wanted a way to say ‘these policies are always on, full stop,’” said a SIG API Machinery spokesperson in an exclusive statement. “This feature ensures that even if a privileged user attempts to delete admission configuration resources, the policies remain active because they are not managed through the API.”

The feature, still in alpha, addresses two fundamental problems: the bootstrap gap where policies are not yet active, and the inability to prevent deletion of admission policies through the API.

Background

Historically, Kubernetes admission policies have been defined as API objects—such as ValidatingAdmissionPolicy or webhook configurations—that are created after the API server starts. This creates a chicken-and-egg problem: policies cannot exist until someone creates them, and they can be deleted by anyone with sufficient privileges.

“During cluster bootstrap or recovery from etcd failure, there's a significant interval where no policies are active,” explained the spokesperson. “Additionally, admission webhooks cannot intercept operations on their own configuration resources—Kubernetes skips invocations on types like ValidatingWebhookConfiguration to avoid circular dependencies. This means a privileged user can delete critical policies with no barrier.”

How It Works

Operators add a new staticManifestsDir field to the AdmissionConfiguration file already passed to the API server via the --admission-control-config-file flag. Pointing to a directory, the API server loads all policy YAML files from that directory before it begins serving any requests.

“The manifest files are standard Kubernetes resource definitions,” the SIG noted. “The only requirement is that all objects defined in these manifests must have names ending in .static.k8s.io. This reserved suffix prevents collisions with API-based configurations and makes it easy to trace admission decisions in metrics or audit logs.”

A complete example provided by the team denies privileged containers outside the kube-system namespace. The policy is defined as a ValidatingAdmissionPolicy with metadata name deny-privileged.static.k8s.io and appropriate annotations.

What This Means

This alpha feature represents a paradigm shift in Kubernetes cluster security. For administrators managing multi-cluster environments or compliance-driven deployments, it eliminates the risk of policy gaps during initialization and provides a guaranteed baseline enforcement layer.

“This closes a long-standing loophole,” the spokesperson emphasized. “Even if a cluster’s etcd is compromised or a powerful user goes rogue, the static policies remain active. It also simplifies bootstrapping: new clusters automatically get the right policies from day zero.”

However, because the feature is in alpha, it should be tested in non-production environments. Kubernetes SIG API Machinery encourages early adopters to provide feedback to shape the final implementation.

For more details, see the official Kubernetes v1.36 release notes and the SIG API Machinery documentation on manifest-based admission control.