Add Kubernetes Validating Admission Policy converter

[micahhausler]

I've created an early prototype of a VAP converter to Cedar, but its not clear that this would be useful, given most public VAP configurations are used for resource standards rather than for access control.

Kubernetes Validating Admission Policy (VAP) graduated to general availability in v1.30, and allows cluster administrators to create policy standards in their cluster with Google's Common Expression Language (CEL) that are evaluated in the Kube-API server. This enables administrators to enforce restrictions on both access controls to mutating actions and enforce resource standards (ex: "all containers in a pod must have resources set" or "all containers in a pod must start with my container image registry's domain").

CEL has different design goals than Cedar, and supports several features that are not analyzable with automated reasoning such as:

• Macros: e.all(x, p), e.map(x, t), and e.filter(x, p), which iteratively can apply operators to a list of structures
• Ordered lists, list indexing, and list sizes
• Numeric division
• Regular expressions

There are several public libraries of VAP configurations (vap-library, kubescape/cel-admission-library), and nearly all of these policies contain an .all() macro, which is not possible to convert to Cedar.

If you've gotten this far reading this discussion (thank you, sincerely) and use VAP for access controls and are interested in using a converter, please reply and tell us a little about your use case.

• How many policies would you want to convert?
• Can you share a few sample policies (even with anonymized strings)?
• Are you using VAP bindings to namespaces using label selectors?
• In your spec.matchConstraints, are you using "*" on any fields (resources, apiGroups, operations, apiVersions)?
• Are you using spec.variables in your policies?