cel_skill
- TypeScript
31
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill tyrchen/claude-skills --skill cel- SKILL.md13.4 KB
Overview
This skill generates production-ready CEL (Common Expression Language) code for Kubernetes admission control, CRD validation rules, and security policies. It produces complete ValidatingAdmissionPolicy and binding YAML, CRD x-kubernetes-validations, test resources, and deployment instructions. Use it to replace webhooks or migrate from OPA/Gatekeeper/Kyverno to native CEL-based policies.
How this skill works
I inspect the target resource types, operations, and constraint requirements you provide, then generate safe, efficient CEL expressions with has() checks and short-circuit ordering to avoid runtime errors. Output includes full ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding YAML, optional CRD validation snippets, example passing/failing test resources, and a brief explanation and deployment steps. I also apply performance best practices like schema bounds and targeted match rules.
When to use it
- Create ValidatingAdmissionPolicy resources with robust CEL expressions
- Add x-kubernetes-validations to CRD schemas
- Enforce security constraints (non-root, no privileged, approved registries)
- Validate labels, annotations, names, and resource requests/limits
- Migrate or simplify policy logic from OPA/Gatekeeper/Kyverno to native CEL
- Debug or optimize existing CEL expressions for performance and safety
Best practices
- Always check optional fields with has() before access to avoid runtime errors
- Order checks: cheap existence checks first, expensive regex or map lookups last
- Scope policies with matchConstraints and namespace selectors to minimize evaluations
- Set schema bounds (maxItems, maxProperties, maxLength) to help the cost estimator
- Start in Audit mode and use server dry-run before switching to Deny
Example use cases
- Require containers to run as non-root and disallow privileged containers in production namespaces
- Enforce image registry allowlist and forbid :latest tags across deployments
- Ensure all containers declare CPU and memory requests and limits within allowed quotas
- Add x-kubernetes-validations to a CRD to validate replicas and cron schedule formats
- Generate a validating policy and binding plus pass/fail test manifests for CI validation
FAQ
CEL in ValidatingAdmissionPolicy is GA in Kubernetes 1.30+; CEL in CRD validation is GA in 1.29+. Verify your cluster version before deploying.
How do I test a generated policy safely?
Use validationActions: [Audit] and kubectl apply --dry-run=server for server-side checks, and inspect PolicyAudit events before switching to Deny.