- validate kustomize build with kubeval strict mode - deny containers with latest image tag - deny deployments and services without app label selector - warn if deployments have no prometheus pod annotations
