Kubernetes’ ValidatingAdmissionPolicy API enables powerful declarative policy enforcement, but managing ValidatingAdmissionPolicyBindings at scale is challenging. At ServiceNow, we found that we would need to deploy and constantly maintain hundreds of bindings per policy in each of our clusters.

To solve this, we built an operator to integrate with the ValidatingAdmissionPolicy API by modifying the resource referenced in ValidatingAdmissionPolicyBinding's paramRef, enabling dynamic cross-resource validation. The operator transfers data from source-of-truth resources into paramRef resource of the ValidatingAdmissionPolicyBindings, keeping policies consistent and replacing the need for hundreds of bindings to distinct resources.

We’ll dive deep into the solution and demo how the operator provides a manageable way to implement sophisticated validation scenarios, such as implementing policy exemption mechanisms or tying the policy management configuration to your fleet-management system.