# Pattern: Policy-as-Code Admission Control Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Kubernetes and platform ## Problem Unsafe Kubernetes manifests can reach runtime when deployment safety depends only on convention or manual review. ## Context Use this pattern for CI checks, GitOps flows, admission webhooks, namespace guardrails, image trust, pod security, and exception handling. ## Forces - Product teams need self-service deployment. - Platform teams need enforceable guardrails. - Policies must be versioned, reviewable, and tested. - Emergency exceptions need expiry and audit. ## Solution Encode deployment rules as policy packages evaluated before workloads run. Reject or quarantine manifests that violate baseline controls. ## Verification - Unsafe manifests fail in CI and at admission. - Policy packages have tests and review history. - Exceptions carry owner, reason, risk, and expiry. - Admission decisions are logged. ## Related Patterns - Policy-as-Code Admission. - Secure Cluster Baseline. - Pod Security Baseline/Restricted. - Signed Image Admission.