Common Expression Language in Kubernetes
The Common Expression Language (CEL) is used in the Kubernetes API to declare validation rules, policy rules, and other constraints or conditions.
CEL expressions are evaluated directly in the API server, making CEL a convenient alternative to out-of-process mechanisms, such as webhooks, for many extensibility use cases. Your CEL expressions continue to execute so long as the control plane's API server component remains available.
CEL was designed to be embedded into applications. Each CEL "program" is a single expression that evaluates to a single value. CEL expressions are typically short "one-liners" that inline well into the string fields of Kubernetes API resources.
Inputs to a CEL program are "variables". Each Kubernetes API field that contains
CEL declares in the API documentation which variables are available to use for
that field. For example, in the
x-kubernetes-validations[i].rules field of
oldSelf variables are available and
refer to the previous and current state of the custom resource data to be
validated by the CEL expression. Other Kubernetes API fields may declare
different variables. See the API documentation of the API fields to learn which
variables are available for that field.
Example CEL expressions:
|Validate that the three fields defining replicas are ordered appropriately|
|Validate that an entry with the 'Available' key exists in a map|
|Validate that one of two lists is non-empty, but not both|
|Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'|
|Validate that 'expired' date is after a 'create' date plus a 'ttl' duration|
|Validate a 'health' string field has the prefix 'ok'|
|Validate that the 'foo' property of a listMap item with a key 'x' is less than 10|
|Validate an int-or-string field for both the int and string cases|
|Validate that an object's name matches a specific value (making it a singleton)|
|Validate that two listSets are disjoint|
|Validate the 'details' map is keyed by the items in the 'names' listSet|
CEL community libraries
Kubernetes CEL expressions have access to the following CEL community libraries:
- CEL standard functions, defined in the list of standard definitions
- CEL standard macros
- CEL extended string function library
Kubernetes CEL libraries
In additional to the CEL community libraries, Kubernetes includes CEL libraries that are available everywhere CEL is used in Kubernetes.
Kubernetes list library
The list library includes
lastIndexOf, which work similar to the
strings functions of the same names. These functions either the first or last
positional index of the provided element in the list.
The list library also includes
sum. Sum is supported on all
number types as well as the duration type. Min and max are supported on all
isSorted is also provided as a convenience function and is supported on all
|Verify that a list of names is kept in alphabetical order|
|Verify that the "weights" of a list of objects sum to 1.0|
|Verify that two sets of priorities do not overlap|
|Require that the first name in a list if a specific value|
See the Kubernetes List Library godoc for more information.
Kubernetes regex library
In addition to the
matches function provided by the CEL standard library, the
regex library provides
findAll, enabling a much wider range of
|Find the first number in a string|
|Verify that the numbers in a string sum to less than 100|
See the Kubernetes regex library godoc for more information.
Kubernetes URL library
To make it easier and safer to process URLs, the following functions have been added:
isURL(string)checks if a string is a valid URL according to the Go's net/url package. The string must be an absolute URL.
url(string) URLconverts a string to a URL or results in an error if the string is not a valid URL.
Once parsed via the
url function, the resulting URL object has
|Get the 'example.com:80' host part of the URL.|
See the Kubernetes URL library godoc for more information.
Kubernetes authorizer library
For CEL expressions in the API where a variable of type
Authorizer is available,
the authorizer may be used to perform authorization checks for the principal
(authenticated user) of the request.
API resource checks are performed as follows:
- Specify the group and resource to check:
- Optionally call any combination of the following builder functions to further narrow the authorization check. Note that these functions return the receiver type and can be chained:
ResourceCheck.check(verb string) Decisionto perform the authorization check.
reason() stringto inspect the result of the authorization check.
Non-resource authorization performed are used as follows:
- specify only a path:
PathCheck.check(httpVerb string) Decisionto perform the authorization check.
reason() stringto inspect the result of the authorization check.
To perform an authorization check for a service account:
Authorizer.serviceAccount(namespace string, name string) Authorizer
|Returns true if the principal (user or service account) is allowed create pods in the 'default' namespace.|
|Checks if the principal (user or service account) is authorized to make HTTP GET requests to the /healthz API path.|
|Checks if the service account is authorized to delete deployments.|
See the Kubernetes Authz library godoc for more information.
CEL is a gradually typed language.
Some Kubernetes API fields contain fully type checked CEL expressions. For example, CustomResourceDefinitions Validation Rules are fully type checked.
Some Kubernetes API fields contain partially type checked CEL expressions. A
partially type checked expression is an experessions where some of the variables
are statically typed but others are dynamically typed. For example, in the CEL
request variable is typed, but the
object variable is dynamically typed.
As a result, an expression containing
request.namex would fail type checking
namex field is not defined. However,
object.namex would pass
type checking even when the
namex field is not defined for the resource kinds
object refers to, because
object is dynamically typed.
has() macro in CEL may be used in CEL expressions to check if a field of a
dynamically typed variable is accessible before attempting to access the field's
value. For example:
has(object.namex) ? object.namex == 'special' : request.name == 'special'
Type system integration
|OpenAPIv3 type||CEL type|
|'object' with Properties||object / "message type" (|
|'object' with AdditionalProperties||map|
|'object' with x-kubernetes-embedded-type||object / "message type", 'apiVersion', 'kind', 'metadata.name' and 'metadata.generateName' are implicitly included in schema|
|'object' with x-kubernetes-preserve-unknown-fields||object / "message type", unknown fields are NOT accessible in CEL expression|
|x-kubernetes-int-or-string||union of int or string, |
|'array' with x-kubernetes-list-type=map||list with map based Equality & unique key guarantees|
|'array' with x-kubernetes-list-type=set||list with set based Equality & unique entry guarantees|
|'number' (all formats)||double|
|'integer' (all formats)||int (64)|
|no equivalent||uint (64)|
|'string' with format=byte (base64 encoded)||bytes|
|'string' with format=date||timestamp (google.protobuf.Timestamp)|
|'string' with format=datetime||timestamp (google.protobuf.Timestamp)|
|'string' with format=duration||duration (google.protobuf.Duration)|
Equality comparison for arrays with
map ignores element
order. For example
[1, 2] == [2, 1] if the arrays represent Kubernetes
Concatenation on arrays with
x-kubernetes-list-type use the semantics of the
X + Yperforms a union where the array positions of all elements in
Xare preserved and non-intersecting elements in
Yare appended, retaining their partial order.
X + Yperforms a merge where the array positions of all keys in
Xare preserved but the values are overwritten by values in
Ywhen the key sets of
Yintersect. Elements in
Ywith non-intersecting keys are appended, retaining their partial order.
Only Kubernetes resource property names of the form
[a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible from CEL. Accessible property
names are escaped according to the following rules when accessed in the
|escape sequence||property name equivalent|
|CEL RESERVED keyword|
When you escape any of CEL's RESERVED keywords you need to match the exact property name
use the underscore escaping
int in the word
sprint would not be escaped and nor would it need to be).
Examples on escaping:
|property name||rule with escaped property name|
CEL is non-Turing complete and offers a variety of production safety controls to limit execution time. CEL's resource constraint features provide feedback to developers about expression complexity and help protect the API server from excessive resource consumption during evaluation. CEL's resource constraint features are used to prevent CEL evaluation from consuming excessive API server resources.
A key element of the resource constraint features is a cost unit that CEL defines as a way of tracking CPU utilization. Cost units are independent of system load and hardware. Cost units are also deterministic; for any given CEL expression and input data, evaluation of the expression by the CEL interpreter will always result in the same cost.
Many of CEL's core operations have fixed costs. The simplest operations, such as
<) have a cost of 1. Some have a higher fixed cost, for
example list literal declarations have a fixed base cost of 40 cost units.
Calls to functions implemented in native code approximate cost based on the time
complexity of the operation. For example: operations that use regular
expressions, such as
find, are estimated using an approximated
length(regexString)*length(inputString). The approximated cost
reflects the worst case time complexity of Go's RE2 implementation.
Runtime cost budget
All CEL expressions evaluated by Kubernetes are constrained by a runtime cost budget. The runtime cost budget is an estimate of actual CPU utilization computed by incrementing a cost unit counter while interpreting a CEL expression. If the CEL interpreter executes too many instructions, the runtime cost budget will be exceeded, execution of the expressions will be halted, and an error will result.
Some Kubernetes resources define an additional runtime cost budget that bounds the execution of multiple expressions. If the sum total of the cost of expressions exceed the budget, execution of the expressions will be halted, and an error will result. For example the validation of a custom resource has a per-validation runtime cost budget for all Validation Rules evaluated to validate the custom resource.
Estimated cost limits
For some Kubernetes resources, the API server may also check if worst case estimated running time of CEL expressions would be prohibitively expensive to execute. If so, the API server prevent the CEL expression from being written to API resources by rejecting create or update operations containing the CEL expression to the API resources. This feature offers a stronger assurance that CEL expressions written to the API resource will be evaluate at runtime without exceeding the runtime cost budget.