The Policy That Wrote Itself
12 teams. 47 namespaces. 1 security requirement. 0 teams wanted to write policies.
The mandate came down: all workloads need pod security policies. No root containers. No privileged escalation. No host volumes. Standard stuff. Every team got the requirement. Then the work stalled.
Policy-as-Code is powerful. Enforcement at admission time stops bad deployments before they reach etcd. But power has a price: someone has to write YAML.
Team A wrote a policy. 34 lines. Solid.
Team B copy-pasted it. Forgot to update the label selectors. Now it applies to everything, including system services. Everything gets rejected. Team B spends four hours debugging why their monitoring won't deploy.
Team C started from scratch. Different syntax. Nested conditions. Hard to read. Works, mostly.
Team D went with "we'll do it next sprint." Still waiting.
The pattern was obvious: enforcement is easy. Enforcement at scale isn't. Every team writing their own policies means every team makes the same mistakes.
Same mistakes repeated 12 times is an incident waiting to happen.