{"id":"44448355-e66b-4937-ba5a-d7db6f11c391","task":"Write a ValidatingAdmissionPolicy using CEL expressions to enforce resource limits","domain":"kubernetes.io","steps":["Create a `ValidatingAdmissionPolicy` manifest with `apiVersion: admissionregistration.k8s.io/v1` and a `spec.matchConstraints` targeting Deployments","Write CEL expressions in `spec.validations[].expression` such as `object.spec.template.spec.containers.all(c, has(c.resources.limits))` to enforce limits","Set `spec.validations[].message` to a human-readable error returned when the expression evaluates to false","Create a `ValidatingAdmissionPolicyBinding` that binds the policy to a specific namespace or cluster scope","Test with `kubectl apply` of a Deployment missing resource limits and confirm the CEL error message is returned"],"gotchas":["ValidatingAdmissionPolicy is GA from Kubernetes 1.30; on older clusters it may require a feature gate and behave differently — verify API availability with `kubectl api-versions`","CEL expressions have a cost budget per expression; deeply nested `all()` traversals over large objects may exceed the budget and fail at admission — test with realistic payload sizes","A `ValidatingAdmissionPolicyBinding` in `dryRun` mode logs violations without blocking — remember to remove `dryRun` when moving to enforcement"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/44448355-e66b-4937-ba5a-d7db6f11c391"}