generated from coulomb/repo-seed
1.1 KiB
1.1 KiB
Pattern: Policy-as-Code Admission Control
Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Kubernetes and platform
Problem
Unsafe Kubernetes manifests can reach runtime when deployment safety depends only on convention or manual review.
Context
Use this pattern for CI checks, GitOps flows, admission webhooks, namespace guardrails, image trust, pod security, and exception handling.
Forces
- Product teams need self-service deployment.
- Platform teams need enforceable guardrails.
- Policies must be versioned, reviewable, and tested.
- Emergency exceptions need expiry and audit.
Solution
Encode deployment rules as policy packages evaluated before workloads run. Reject or quarantine manifests that violate baseline controls.
Verification
- Unsafe manifests fail in CI and at admission.
- Policy packages have tests and review history.
- Exceptions carry owner, reason, risk, and expiry.
- Admission decisions are logged.
Related Patterns
- Policy-as-Code Admission.
- Secure Cluster Baseline.
- Pod Security Baseline/Restricted.
- Signed Image Admission.