Generate the webhook scaffolding with `kubebuilder create webhook --group apps --version v1alpha1 --kind MyApp --programmatic-validation`
Implement `ValidateCreate`, `ValidateUpdate`, and `ValidateDelete` methods in the generated webhook file
Provision a TLS certificate for the webhook server; use cert-manager with the `InjectCAFromSecret` annotation or inject a self-signed cert
Register the webhook endpoint in a `ValidatingWebhookConfiguration` manifest referencing the service and CA bundle
Set `failurePolicy: Fail` for security-critical checks; use `Ignore` only for non-blocking advisory checks
Test with `kubectl apply` of a deliberately invalid CR and confirm the admission error message is returned
Known gotchas
`failurePolicy: Fail` means any webhook server unavailability blocks all matching admission requests — ensure the webhook deployment has high availability before enabling this in production
The `caBundle` in the `ValidatingWebhookConfiguration` must match the certificate the webhook server presents; a mismatch causes TLS handshake failures that appear as generic 500 errors
Webhook rules with broad `resources: ["*"]` and `operations: ["*"]` can intercept system components and cause cluster instability — scope rules precisely
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp