Configure a Kubernetes admission webhook with cert-manager for TLS provisioning and implement a ValidatingWebhookConfiguration to enforce custom policies
Deploy the webhook server as a Kubernetes Deployment and Service, ensuring the server listens on HTTPS and serves a TLS certificate at the expected mount path
Create a cert-manager Certificate object targeting the webhook Service DNS name and referencing an Issuer or ClusterIssuer, and mount the resulting Secret into the webhook server pod
Define the ValidatingWebhookConfiguration manifest with a clientConfig referencing the service name and path, and set the caBundle field to the cert-manager CA injection annotation so the CA bundle is populated automatically
Configure the webhooks rules block to target the desired resource group, version, kind, and operations, and set failurePolicy to either Fail or Ignore based on the criticality of the policy
Test the webhook by submitting a resource that should be rejected and verifying the API server returns the webhook's denial message, then submit a valid resource to confirm it passes
Known gotchas
cert-manager CA injection requires the cert-manager cainjector component to be running and the annotation on the WebhookConfiguration to reference the correct Secret name; missing or incorrect annotation leaves caBundle empty and the webhook is rejected by the API server
failurePolicy: Fail means any webhook server unavailability blocks the targeted resource operations cluster-wide; always test failover behavior and consider using a timeout plus Ignore for non-critical policies
The webhook server must respond within the timeout configured in the WebhookConfiguration; long-running policy checks such as external API calls can cause timeouts that result in request failures under the Fail policy
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp