It's definitely possible to use a Kubernetes AdmissionController to call out to SpiceDB, but you'd probably be the first person doingso in the open. It definitely requires a bit of additional code to convert the payload into something SpiceDB understands and then convert SpiceDB's response back into the AdmissionReview Response that Kubernetes is expecting. I imagine it'd end up looking a bit like our prom-authzed-proxy if you squint, which looks a promql api requests and turns them into SpiceDB checks
https://github.com/authzed/prom-authzed-proxy