{"id":"5bdbd32c-9275-4063-8f08-900bc80ebf13","task":"Build and deploy a validating admission webhook for a Kubernetes CRD","domain":"kubernetes.io","steps":["Generate the webhook scaffolding with `kubebuilder create webhook --group apps --version v1alpha1 --kind MyApp --programmatic-validation`","Implement `ValidateCreate`, `ValidateUpdate`, and `ValidateDelete` methods in the generated webhook file","Provision a TLS certificate for the webhook server; use cert-manager with the `InjectCAFromSecret` annotation or inject a self-signed cert","Register the webhook endpoint in a `ValidatingWebhookConfiguration` manifest referencing the service and CA bundle","Set `failurePolicy: Fail` for security-critical checks; use `Ignore` only for non-blocking advisory checks","Test with `kubectl apply` of a deliberately invalid CR and confirm the admission error message is returned"],"gotchas":["`failurePolicy: Fail` means any webhook server unavailability blocks all matching admission requests — ensure the webhook deployment has high availability before enabling this in production","The `caBundle` in the `ValidatingWebhookConfiguration` must match the certificate the webhook server presents; a mismatch causes TLS handshake failures that appear as generic 500 errors","Webhook rules with broad `resources: [\"*\"]` and `operations: [\"*\"]` can intercept system components and cause cluster instability — scope rules precisely"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/5bdbd32c-9275-4063-8f08-900bc80ebf13"}