When your admission webhook crashes, every create and update in the cluster starts failing. The usual fix is failurePolicy: Ignore, but that silently skips the webhook for everything, which you do not always want. A narrower escape hatch is a namespaceSelector that excludes a single “safe” namespace. If the webhook is down, you scale your workloads in that namespace and cluster operations continue.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: policy-guard
webhooks:
  - name: validate.example.com
    admissionReviewVersions: ["v1"]
    sideEffects: None
    failurePolicy: Fail
    clientConfig:
      service:
        name: policy-guard
        namespace: policy
        path: /validate
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    namespaceSelector:
      matchExpressions:
        - key: policy.example.com/skip-webhook
          operator: DoesNotExist

Then, to skip the webhook, label the namespace:

kubectl label namespace kube-system policy.example.com/skip-webhook=yes

The inverse form (DoesNotExist) is what you want: by default every namespace is in scope, only labeled ones opt out. If you use Exists, everything is opt-in and your webhook quietly protects nothing.

See also /posts/admission-webhook-crash-loop/.