Admission webhooks and the art of saying "not yet"

A mutating webhook that quietly fixes everything feels magical until it hides a dependency you never learned. We prefer webhooks that sometimes answer "not yet" with a clear reason code application teams can act on. That posture requires empathy for release managers who already juggle six deadlines. The training lab asks participants to write the human-readable rejection copy before writing the rule. Finally, we discuss operational load: every synchronous call is budgeted. If your policy stack cannot meet latency budgets, the correct answer may be moving checks earlier in CI—not adding more synchronous hooks.