It is bothering me how admission control webhooks work alongside #kubernetes controller reconciliation. If the admission controller doesn’t agree on what desired state looks like, I don’t think it can settle, right? (e.g. if desired state clashes with a policy check)
I think the normal next step is that a human intervenes because they’re seeing alerts generated at admission control.
Another option would be mutating webhook changing the request, but what if that still doesn’t match the controller’s desired state?