Admission controls that developers do not fight

Kubernetes Delivery Patterns spends time on admission webhooks because misconfigured policies create toil faster than they prevent incidents. We ask participants to write policies that emit actionable errors and link to internal docs.

A policy that only says forbidden is a ticket generator. A policy that cites the owning team and remediation path earns repeat use.

We also discuss exception workflows: time-bound waivers, approvals, and telemetry proving the waiver is rare. Without that pathway, teams route around controls in ways auditors dislike.

The goal is not maximal restriction; it is predictable friction aligned with risk.