{"id":"3fa1c391-140e-4149-987c-cd27e9d75db1","task":"Configure a Kubernetes admission webhook with cert-manager for TLS provisioning and implement a ValidatingWebhookConfiguration to enforce custom policies","domain":"kubernetes.io","steps":["Deploy the webhook server as a Kubernetes Deployment and Service, ensuring the server listens on HTTPS and serves a TLS certificate at the expected mount path","Create a cert-manager Certificate object targeting the webhook Service DNS name and referencing an Issuer or ClusterIssuer, and mount the resulting Secret into the webhook server pod","Define the ValidatingWebhookConfiguration manifest with a clientConfig referencing the service name and path, and set the caBundle field to the cert-manager CA injection annotation so the CA bundle is populated automatically","Configure the webhooks rules block to target the desired resource group, version, kind, and operations, and set failurePolicy to either Fail or Ignore based on the criticality of the policy","Test the webhook by submitting a resource that should be rejected and verifying the API server returns the webhook's denial message, then submit a valid resource to confirm it passes"],"gotchas":["cert-manager CA injection requires the cert-manager cainjector component to be running and the annotation on the WebhookConfiguration to reference the correct Secret name; missing or incorrect annotation leaves caBundle empty and the webhook is rejected by the API server","failurePolicy: Fail means any webhook server unavailability blocks the targeted resource operations cluster-wide; always test failover behavior and consider using a timeout plus Ignore for non-critical policies","The webhook server must respond within the timeout configured in the WebhookConfiguration; long-running policy checks such as external API calls can cause timeouts that result in request failures under the Fail policy"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/3fa1c391-140e-4149-987c-cd27e9d75db1"}