**Approach (brief)** Validate AdmissionReview requests for Pod/Deployment specs; reject if cpu/memory requests/limits outside policy.**Pseudocode (core webhook handler)**python
# webhook.py (pseudocode)
def handle_admission_review(admission_review):
req = admission_review.request
obj = decode_resource(req.object) # Pod template for Pod or Deployment
containers = obj.spec.containers
violations = []
for c in containers:
req_cpu = parse_quantity(c.resources.requests.cpu or "0")
lim_cpu = parse_quantity(c.resources.limits.cpu or "0")
req_mem = parse_quantity(c.resources.requests.memory or "0")
lim_mem = parse_quantity(c.resources.limits.memory or "0")
if req_cpu < parse_quantity("100m"):
violations.append(f"{c.name}: requests.cpu {c.resources.requests.cpu} < 100m")
if lim_cpu > parse_quantity("500m"):
violations.append(f"{c.name}: limits.cpu {c.resources.limits.cpu} > 500m")
if req_mem < parse_quantity("128Mi"):
violations.append(f"{c.name}: requests.memory {c.resources.requests.memory} < 128Mi")
if lim_mem > parse_quantity("1Gi"):
violations.append(f"{c.name}: limits.memory {c.resources.limits.memory} > 1Gi")
if violations:
return admission_response(allowed=False, status_message="; ".join(violations))
else:
return admission_response(allowed=True)
**Example rejection AdmissionReview response (payload)**json
{
"apiVersion":"admission.k8s.io/v1",
"kind":"AdmissionReview",
"response":{
"uid":"<request-uid>",
"allowed": false,
"status":{
"code": 403,
"message":"container nginx: requests.cpu 50m < 100m; container nginx: limits.memory 2Gi > 1Gi"
}
}
}
**Register & secure webhook (high-level)**- Register ValidatingWebhookConfiguration pointing to service namespace/name, operations CREATE/UPDATE, resources pods, deployments, and appropriate failurePolicy and sideEffects.- TLS: serve webhook over HTTPS with a serving certificate signed by cluster CA or use cert-manager to provision secrets; put CA bundle in ValidatingWebhookConfiguration's clientConfig.caBundle.- RBAC: give the webhook service account minimal privileges (if it needs to read objects, grant get/list/watch on pods/deployments); typically webhook only needs to read request body, so minimal RBAC.- Additional: restrict webhook to desired namespaces via namespaceSelector, and enable logging/metrics and health/readiness probes to avoid blocking API server.