{"id":"55102f7d-feae-4fb6-b03d-520148fd791b","task":"Define a Kubernetes ValidatingAdmissionPolicy using CEL to enforce that all Deployments set replica counts above a minimum without an external webhook","domain":"security/compliance","steps":["Confirm your Kubernetes cluster is on a version that has ValidatingAdmissionPolicy as stable or as a feature gate; the feature graduated to stable in Kubernetes 1.30 (verify against current docs).","Write a ValidatingAdmissionPolicy manifest with spec.matchConstraints specifying the resource kinds (Deployment) and operations (CREATE, UPDATE), and spec.validations containing CEL expressions such as object.spec.replicas >= 2.","Create a ValidatingAdmissionPolicyBinding that binds the policy to a scope (cluster-wide or specific namespaces) and sets spec.validationActions to Deny or Audit.","Apply both the ValidatingAdmissionPolicy and the ValidatingAdmissionPolicyBinding; test by creating a Deployment with too few replicas.","Use paramKind and paramRef in the policy and binding to externalize configuration values (such as the minimum replica count) into a separate ConfigMap or custom resource, avoiding hardcoding in the policy."],"gotchas":["ValidatingAdmissionPolicy does not require a running webhook process, but it does require the feature to be enabled in the API server; on managed Kubernetes services, verify the version and feature availability.","CEL expressions run synchronously in the API server; complex or slow expressions can impact API server latency — keep expressions simple and avoid iterating over large lists.","The ValidatingAdmissionPolicyBinding controls enforcement scope independently of the policy; a policy without any binding is defined but never enforced, which can be misleading during debugging."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/55102f7d-feae-4fb6-b03d-520148fd791b"}