Skip to content

feat: reject workload creation via validating admission webhook when referenced WorkloadPolicy does not exist #415

Open
Open
feat: reject workload creation via validating admission webhook when referenced WorkloadPolicy does not exist#415
Assignees
holyspectral
Labels
enhancementNew feature or request
Milestone
0.6.0
@dottorblaster

Description

@dottorblaster
dottorblaster
opened on Mar 16, 2026

Currently, when a pod is created with the security.rancher.io/policy label referencing a WorkloadPolicy that doesn't exist, the pod is allowed to start and an error is logged (internal/nri/plugin.go:176-179). This means the pod runs without any runtime protection silently.

We should add a new VAP/validating admission webhook that checks, at pod CREATE time, whether the WorkloadPolicy referenced in the security.rancher.io/policy label actually exists in the cluster. If the policy does not exist, the pod creation should be denied with a clear error message.

This will work alongside a future NRI-level enforcement (see #392) that blocks container startup until the policy is reconciled by the agent.

Acceptance Criteria

  • VAP rejects pod creation when the referenced WorkloadPolicy does not exist: When a pod is created with a security.rancher.io/policy label, the admission policy must verify that a WorkloadPolicy resource with that name exists in the same namespace. If it does not exist, the pod creation must be denied with a descriptive error message.
  • Pods without the policy label are not affected: Pods that do not have the security.rancher.io/policy label must be admitted normally. The VAP must only apply to pods that explicitly reference a policy.
  • E2E tests validate both allow and deny paths

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

Runtime Enforcer

Status

In Progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions