Kubernetes introduced external admission control in v1.7 to allow administrators to define policies for what objects can be admitted into a cluster.

One way to enforce these policies is through validating admission policies, which use the Common Expression Language (CEL) to declare validation rules.

Kubescape, a CNCF project for Kubernetes cluster security, has converted many of its controls to CEL and built a library of validating admission policies, which can be installed in a Kubernetes cluster using a selector and applied to objects using a ValidatingAdmissionPolicyBinding resource.

This feature is currently in alpha and not yet production-ready, but it is a promising native solution for enforcing policies in a Kubernetes cluster.