Confirm your Kubernetes cluster is on a version that has ValidatingAdmissionPolicy as stable or as a feature gate; the feature graduated to stable in Kubernetes 1.30 (verify against current docs).
Write a ValidatingAdmissionPolicy manifest with spec.matchConstraints specifying the resource kinds (Deployment) and operations (CREATE, UPDATE), and spec.validations containing CEL expressions such as object.spec.replicas >= 2.
Create a ValidatingAdmissionPolicyBinding that binds the policy to a scope (cluster-wide or specific namespaces) and sets spec.validationActions to Deny or Audit.
Apply both the ValidatingAdmissionPolicy and the ValidatingAdmissionPolicyBinding; test by creating a Deployment with too few replicas.
Use paramKind and paramRef in the policy and binding to externalize configuration values (such as the minimum replica count) into a separate ConfigMap or custom resource, avoiding hardcoding in the policy.
Known gotchas
ValidatingAdmissionPolicy does not require a running webhook process, but it does require the feature to be enabled in the API server; on managed Kubernetes services, verify the version and feature availability.
CEL expressions run synchronously in the API server; complex or slow expressions can impact API server latency — keep expressions simple and avoid iterating over large lists.
The ValidatingAdmissionPolicyBinding controls enforcement scope independently of the policy; a policy without any binding is defined but never enforced, which can be misleading during debugging.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp