apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "check-deployment-namespace"
spec:
  matchConstraints:
    resourceRules:
    - apiGroups:
      - apps
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resources:
      - deployments
  validations:
  - expression: "namespaceObject.metadata.name != 'default'"
    message: "Using 'default' namespace is not allowed for pod controllers."
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "check-deployment-namespace-binding"
spec:
  policyName: "check-deployment-namespace"
  validationActions: [Deny]
  matchResources:
    objectSelector:
      matchLabels:
        app: nginx