cel_skill

This skill generates production-ready CEL code for Kubernetes admission policies, CRD validations, and security rules to enforce compliance.
  • TypeScript

31

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill tyrchen/claude-skills --skill cel

  • SKILL.md13.4 KB

Overview

This skill generates production-ready CEL (Common Expression Language) code for Kubernetes admission control, CRD validation rules, and security policies. It produces complete ValidatingAdmissionPolicy and binding YAML, CRD x-kubernetes-validations, test resources, and deployment instructions. Use it to replace webhooks or migrate from OPA/Gatekeeper/Kyverno to native CEL-based policies.

How this skill works

I inspect the target resource types, operations, and constraint requirements you provide, then generate safe, efficient CEL expressions with has() checks and short-circuit ordering to avoid runtime errors. Output includes full ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding YAML, optional CRD validation snippets, example passing/failing test resources, and a brief explanation and deployment steps. I also apply performance best practices like schema bounds and targeted match rules.

When to use it

  • Create ValidatingAdmissionPolicy resources with robust CEL expressions
  • Add x-kubernetes-validations to CRD schemas
  • Enforce security constraints (non-root, no privileged, approved registries)
  • Validate labels, annotations, names, and resource requests/limits
  • Migrate or simplify policy logic from OPA/Gatekeeper/Kyverno to native CEL
  • Debug or optimize existing CEL expressions for performance and safety

Best practices

  • Always check optional fields with has() before access to avoid runtime errors
  • Order checks: cheap existence checks first, expensive regex or map lookups last
  • Scope policies with matchConstraints and namespace selectors to minimize evaluations
  • Set schema bounds (maxItems, maxProperties, maxLength) to help the cost estimator
  • Start in Audit mode and use server dry-run before switching to Deny

Example use cases

  • Require containers to run as non-root and disallow privileged containers in production namespaces
  • Enforce image registry allowlist and forbid :latest tags across deployments
  • Ensure all containers declare CPU and memory requests and limits within allowed quotas
  • Add x-kubernetes-validations to a CRD to validate replicas and cron schedule formats
  • Generate a validating policy and binding plus pass/fail test manifests for CI validation

FAQ

CEL in ValidatingAdmissionPolicy is GA in Kubernetes 1.30+; CEL in CRD validation is GA in 1.29+. Verify your cluster version before deploying.

How do I test a generated policy safely?

Use validationActions: [Audit] and kubectl apply --dry-run=server for server-side checks, and inspect PolicyAudit events before switching to Deny.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
cel skill by tyrchen/claude-skills | VeilStrat