This is a feature suggestion for ValidatingAdmissionPolicy (VAP). It may depend on other enhancements to workload types before it becomes tractable.

Writing a VAP that verifies all PodSpecs is difficult/impossible. PodSpecs are embedded in multiple built-in types (Deployments, Jobs...) as well as CRDs.

Even writing a VAP to validate the containers in Pod requires writing validation code in triplicate to handle containers, initContainers and ephemeralContainers.

Writing a VAP against Pod and all the other built-in types that embed PodSpec is even more difficult and is at risk of not validating types that are introduced AFTER the VAP is authored.

If CRDs were to clearly identify where PodSpecs were embedded, and VAP had a way to match "all resources that embed PodSpec", this could become feasible.

This idea has come up multiple times and relates to topics such as CRX and "workload type embedding", so I'd like to open this tracker to allow for discussion.

/sig api-machinery

cc @cici37 @cheftako @thockin