Verified steps

Create a `ValidatingAdmissionPolicy` manifest with `apiVersion: admissionregistration.k8s.io/v1` and a `spec.matchConstraints` targeting Deployments
Write CEL expressions in `spec.validations[].expression` such as `object.spec.template.spec.containers.all(c, has(c.resources.limits))` to enforce limits
Set `spec.validations[].message` to a human-readable error returned when the expression evaluates to false
Create a `ValidatingAdmissionPolicyBinding` that binds the policy to a specific namespace or cluster scope
Test with `kubectl apply` of a Deployment missing resource limits and confirm the CEL error message is returned

Known gotchas

ValidatingAdmissionPolicy is GA from Kubernetes 1.30; on older clusters it may require a feature gate and behave differently — verify API availability with `kubectl api-versions`
CEL expressions have a cost budget per expression; deeply nested `all()` traversals over large objects may exceed the budget and fail at admission — test with realistic payload sizes
A `ValidatingAdmissionPolicyBinding` in `dryRun` mode logs violations without blocking — remember to remove `dryRun` when moving to enforcement

Create a GCP Organization Policy custom constraint using CEL to restrict VM machine types

cloud.google.com/resource-manager/docs/organization-policy · 6 steps · unrated

Write an OPA Rego policy to enforce that all Kubernetes Deployments have resource requests and limits set, and integrate it with Conftest in a CI pipeline

www.openpolicyagent.org · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Write a ValidatingAdmissionPolicy using CEL expressions to enforce resource limits

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes