validate.cel sub-rule to create concise, powerful validation logic using CEL (Common Expression Language).
What is CEL?
CEL (Common Expression Language) is an open-source, embeddable expression language from Google. It is designed for safe, fast evaluation inside critical components like admission controllers and API servers. CEL deliberately avoids Turing-completeness so expressions are guaranteed to terminate quickly, preventing runaway CPU or memory usage. Its guiding principles are simplicity, security, portability, and performance—qualities that make it a natural fit for policy and validation in Kubernetes.

validate.cel sub-rule. Inside a rule’s validate block you add a cel block containing a list of expressions. Each expression must include:
expression: a CEL expression that must evaluate totruefor the request to be allowed.message: the user-facing error message shown when the expression evaluates tofalse.
object variable, which represents the full resource being submitted to the API server. We access object.spec.replicas to inspect the Deployment replica count.
CEL expressions must evaluate to a boolean. If an expression returns
false (or a non-boolean that cannot be interpreted as true), the request is rejected and the provided message is shown.namespaceObject to make namespace-aware checks straightforward. While object is the resource being created (for example, a StatefulSet), namespaceObject contains the full Namespace resource where the object will live.
Example — allow StatefulSets only in the production namespace:
default), that expression evaluates to false and the request is blocked.
CEL variables available in Kyverno
The most commonly used variables in Kyverno CEL expressions provide runtime context for expressive policies:

-
object
The incoming resource manifest being created or updated. Example:object.spec.replicas.Note: For delete operations,objectisnullbecause there is no incoming resource body. -
oldObject
The current cluster version of the resource (available for updates). Use this to compare previous and new state. -
request
Metadata about the admission request (user identity, operation type,dryRunflag, etc.). Useful for policies that depend on who performed the action or how it was requested. -
namespaceObject
The Namespace resource where the object will be created. Useful to read labels, annotations, or the namespace name itself. -
params
External parameters injected into the policy (for example, via a ConfigMap or Kyverno params binding). Useparamsto avoid hard-coding values and make policies reusable. -
authorizer
Provides on-the-fly authorization checks (advanced). For example, validate that the requester has permission togeta referenced Secret. See Kyverno docs for details: https://kyverno.io/docs/
Summary
- CEL is a safe, performant expression language well-suited for admission-time validation.
- Kyverno exposes CEL through
validate.cel, letting you author concise validation rules that run on admission. - Use variables like
object,oldObject,request,namespaceObject,params, andauthorizerto write context-aware policies. - Keep expressions simple and boolean-returning; use
paramsfor reusable policies andnamespaceObjectfor namespace-scoped constraints.

- Kyverno documentation: https://kyverno.io/docs/
- Kubernetes CRD validation and CEL: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation