Kubernetes v1.36 introduces an alpha feature that addresses the challenge of enforcing security policies across cluster bootstrap: manifest-based admission control. It lets you define admission webhooks and CEL-based policies as files on disk, loaded by the API server at startup, before it serves any requests, ensuring they can’t be deleted or bypassed.