diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
new file mode 100644
index 00000000..325e484c
--- /dev/null
+++ b/.github/workflows/integration_test.yml
@@ -0,0 +1,43 @@
+name: integration
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        namespace: [policy-system, test-system]
+    steps:
+      - name: Checkout repo 
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install kind
+        uses: helm/kind-action@v1.3.0
+        with:
+          install_only: true
+      - name: setup go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.17'
+          cache: true
+      - name: Run tests
+        env:
+          NAMESPACE: ${{ matrix.namespace }}
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        run: |
+          make build
+
+          VERSION=$(cat ./version.txt)
+          docker build -t weaveworks/policy-agent:${VERSION} .
+
+          cd test/integration
+          bash deploy.sh
+          go test -v ./...
diff --git a/Makefile b/Makefile
index b26391de..c352129b 100644
--- a/Makefile
+++ b/Makefile
@@ -73,7 +73,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -v ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -v ./internal/... ./controllers/... ./pkg/... -coverprofile cover.out
 
 ##@ Build
 
diff --git a/internal/terraform/terraform.go b/internal/terraform/terraform.go
index fa15bfca..564d341c 100644
--- a/internal/terraform/terraform.go
+++ b/internal/terraform/terraform.go
@@ -12,7 +12,7 @@ import (
 )
 
 const (
-	TypeTerraform = "Terraform"
+	TypeTFAdmission = "TFAdmission"
 )
 
 type Response struct {
diff --git a/main.go b/main.go
index 4e2970f0..72e4bf18 100644
--- a/main.go
+++ b/main.go
@@ -388,7 +388,7 @@ func main() {
 			validator := validation.NewOPAValidator(
 				policiesSource,
 				false,
-				terraform.TypeTerraform,
+				terraform.TypeTFAdmission,
 				config.AccountID,
 				config.ClusterID,
 				terraformSinks...,
diff --git a/test/integration/data/resources/admission_test_resources.yaml b/test/integration/data/resources/admission_test_resources.yaml
new file mode 100644
index 00000000..851fb698
--- /dev/null
+++ b/test/integration/data/resources/admission_test_resources.yaml
@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: orphan-deployment
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: orphan-deployment
+  template:
+    metadata:
+      labels:
+        app: orphan-deployment
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-deployment
+  template:
+    metadata:
+      labels:
+        app: test-deployment
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helm-app-deployment
+  namespace: default
+  labels:
+    helm.toolkit.fluxcd.io/name: helm-app
+    helm.toolkit.fluxcd.io/namespace: flux-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: helm-app-deployment
+  template:
+    metadata:
+      labels:
+        app: helm-app-deployment
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kustomize-app-deployment
+  namespace: default
+  labels:
+    kustomize.toolkit.fluxcd.io/name: kustomize-app
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kustomize-app-deployment
+  template:
+    metadata:
+      labels:
+        app: kustomize-app-deployment
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
+
diff --git a/test/integration/data/resources/audit_test_resources.yaml b/test/integration/data/resources/audit_test_resources.yaml
new file mode 100644
index 00000000..79820a96
--- /dev/null
+++ b/test/integration/data/resources/audit_test_resources.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-1
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: deployment-1
+  template:
+    metadata:
+      labels:
+        app: deployment-1
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-2
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: deployment-2
+  template:
+    metadata:
+      labels:
+        app: deployment-2
+    spec:
+      containers:
+      - name: ubuntu
+        image: ubuntu:latest
+        command: ["sleep", "100d"]
+        securityContext:
+          privileged: true
diff --git a/test/integration/data/state/policies.yaml b/test/integration/data/state/policies.yaml
new file mode 100644
index 00000000..eda3d77d
--- /dev/null
+++ b/test/integration/data/state/policies.yaml
@@ -0,0 +1,254 @@
+apiVersion: pac.weave.works/v2beta2
+kind: Policy
+metadata:
+  name: weave.policies.containers-minimum-replica-count
+spec:
+  id: weave.policies.containers-minimum-replica-count
+  name: Containers Minimum Replica Count
+  enabled: false
+  description: "Use this Policy to to check the replica count of your workloads. The value set in the Policy is greater than or equal to the amount desired, so if the replica count is lower than what is specified, the Policy will be in violation. \n"
+  how_to_solve: |
+    The replica count should be a value equal or greater than what is set in the Policy.
+    ```
+    spec:
+      replicas: <replica_count>
+    ```
+    https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment
+  category: weave.categories.reliability
+  severity: medium
+  targets:
+    kinds:
+      - Deployment
+      - StatefulSet
+      - ReplicaSet
+      - ReplicationController
+      - HorizontalPodAutoscaler
+  standards:
+    - id: weave.standards.soc2-type-i
+      controls:
+        - weave.controls.soc2-type-i.2.1.1
+  tags: [soc2-type1]
+  parameters:
+    - name: replica_count
+      type: integer
+      required: true
+      value: 2
+    - name: exclude_namespaces
+      type: array
+      required: false
+      value:
+    - name: exclude_label_key
+      type: string
+      required: false
+      value:
+    - name: exclude_label_value
+      type: string
+      required: false
+      value:
+  code: |-
+    package weave.advisor.pods.replica_count
+
+    import future.keywords.in
+
+    min_replica_count := input.parameters.replica_count
+    exclude_namespaces := input.parameters.exclude_namespaces
+    exclude_label_key := input.parameters.exclude_label_key
+    exclude_label_value := input.parameters.exclude_label_value
+
+    controller_input := input.review.object
+
+    violation[result] {
+    	isExcludedNamespace == false
+        not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
+    	not replicas >= min_replica_count
+    	result = {
+    		"issue detected": true,
+    		"msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
+    		"violating_key": violating_key,
+    		"recommended_value": min_replica_count,
+    	}
+    }
+
+    replicas := controller_input.spec.replicas {
+    	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+    } else := controller_input.spec.minReplicas {
+    	controller_input.kind == "HorizontalPodAutoscaler"
+    }
+
+    violating_key := "spec.replicas" {
+    	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+    } else := "spec.minReplicas" {
+    	controller_input.kind == "HorizontalPodAutoscaler"
+    }
+
+    isExcludedNamespace = true {
+    	controller_input.metadata.namespace
+    	controller_input.metadata.namespace in exclude_namespaces
+    } else = false
+
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: Policy
+metadata:
+  name: weave.policies.containers-running-in-privileged-mode
+spec:
+  id: weave.policies.containers-running-in-privileged-mode
+  name: Containers Running In Privileged Mode
+  enabled: true
+  description: |
+    This Policy reports if containers are running in privileged mode. A privileged container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host.
+
+    By default a container is not allowed to access any devices on the host, but a "privileged" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. This is useful for containers that want to use linux capabilities like manipulating the network stack and accessing devices.
+  how_to_solve: "Look at the following path to see what the settings are. \n```\n...\n  spec:\n    containers:\n    - securityContext:\n        privileged: <privilege>\n```\nhttps://kubernetes.io/docs/tasks/configure-pod-container/security-context/\n"
+  category: weave.categories.pod-security
+  severity: high
+  targets: {kinds: [Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
+  standards:
+    - id: weave.standards.pci-dss
+      controls:
+        - weave.controls.pci-dss.2.2.4
+        - weave.controls.pci-dss.2.2.5
+    - id: weave.standards.cis-benchmark
+      controls:
+        - weave.controls.cis-benchmark.5.2.1
+    - id: weave.standards.mitre-attack
+      controls:
+        - weave.controls.mitre-attack.4.1
+    - id: weave.standards.nist-800-190
+      controls:
+        - weave.controls.nist-800-190.3.3.1
+    - id: weave.standards.gdpr
+      controls:
+        - weave.controls.gdpr.25
+        - weave.controls.gdpr.32
+        - weave.controls.gdpr.24
+    - id: weave.standards.soc2-type-i
+      controls:
+        - weave.controls.soc2-type-i.1.6.1
+  tags: [pci-dss, cis-benchmark, mitre-attack, nist800-190, gdpr, soc2-type1, default]
+  parameters:
+    - name: privilege
+      type: boolean
+      required: true
+      value: false
+    - name: exclude_namespaces
+      type: array
+      required: false
+      value:
+    - name: exclude_label_key
+      type: string
+      required: false
+      value:
+    - name: exclude_label_value
+      type: string
+      required: false
+      value:
+  code: |
+    package weave.advisor.podSecurity.privileged
+
+    import future.keywords.in
+
+    privilege := input.parameters.privilege
+    exclude_namespaces := input.parameters.exclude_namespaces
+    exclude_label_key := input.parameters.exclude_label_key
+    exclude_label_value := input.parameters.exclude_label_value
+
+    violation[result] {
+      isExcludedNamespace == false
+      not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
+      some i
+      container := controller_spec.containers[i]
+      security_context_priv := container.securityContext.privileged
+      not security_context_priv == privilege
+      result = {
+        "issue detected": true,
+        "msg": sprintf("Container %s should set privileged to '%v'; detected '%v'", [container.name, privilege, security_context_priv]),
+        "violating_key": sprintf("spec.template.spec.containers[%v].securityContext.privileged", [i]),
+        "recommended_value": privilege
+      }
+    }
+
+    is_array_contains(array,str) {
+      array[_] = str
+    }
+
+    # Controller input
+    controller_input = input.review.object
+
+    # controller_container acts as an iterator to get containers from the template
+    controller_spec = controller_input.spec.template.spec {
+      contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
+    } else = controller_input.spec {
+      controller_input.kind == "Pod"
+    } else = controller_input.spec.jobTemplate.spec.template.spec {
+      controller_input.kind == "CronJob"
+    }
+
+    contains_kind(kind, kinds) {
+      kinds[_] = kind
+    }
+
+    isExcludedNamespace = true {
+    	controller_input.metadata.namespace
+    	controller_input.metadata.namespace in exclude_namespaces
+    } else = false
+
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: Policy
+metadata:
+  name: weave.policies.missing-owner-label
+spec:
+  id: weave.policies.missing-owner-label
+  name: Missing Owner Label
+  enabled: false
+  description: "Custom labels can help enforce organizational standards for each artifact deployed. This Policy ensure a custom label key is set in the entity's `metadata`. The Policy detects the presence of the following: \n\n### owner\nA label key of `owner` will help identify who the owner of this entity is. \n\n### app.kubernetes.io/name\nThe name of the application\t\n\n### app.kubernetes.io/instance\nA unique name identifying the instance of an application\t  \n\n### app.kubernetes.io/version\nThe current version of the application (e.g., a semantic version, revision hash, etc.)\n\n### app.kubernetes.io/part-of\nThe name of a higher level application this one is part of\t\n\n### app.kubernetes.io/managed-by\nThe tool being used to manage the operation of an application\t\n\n### app.kubernetes.io/created-by\nThe controller/user who created this resource\t\n"
+  how_to_solve: "Add these custom labels to `metadata`.\n* owner\n* app.kubernetes.io/name\n* app.kubernetes.io/instance\n* app.kubernetes.io/version\n* app.kubernetes.io/name\n* app.kubernetes.io/part-of\n* app.kubernetes.io/managed-by\n* app.kubernetes.io/created-by\n\n```\nmetadata:\n  labels:\n    <label>: value\n```  \nFor additional information, please check\n* https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels \n"
+  category: weave.categories.organizational-standards
+  severity: low
+  targets: {kinds: [Deployment, Job, ReplicationController, ReplicaSet, DaemonSet, StatefulSet, CronJob]}
+  tags: []
+  parameters:
+    - name: exclude_namespaces
+      type: array
+      required: false
+      value:
+    - name: exclude_label_key
+      type: string
+      required: false
+      value:
+    - name: exclude_label_value
+      type: string
+      required: false
+      value:
+  code: |
+    package weave.advisor.labels.missing_owner_label
+    import future.keywords.in
+    exclude_namespaces := input.parameters.exclude_namespaces
+    exclude_label_key := input.parameters.exclude_label_key
+    exclude_label_value := input.parameters.exclude_label_value
+    violation[result] {
+      isExcludedNamespace == false
+      not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
+      # Filter the type of entity before moving on since this shouldn't apply to all entities
+      label := "owner"
+      contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
+      not controller_input.metadata.labels[label]
+      result = {
+        "issue detected": true,
+        "msg": sprintf("you are missing a label with the key '%v'", [label]),
+        "violating_key": "metadata.labels",
+        "recommended_value": label
+      }
+    }
+    # Controller input
+    controller_input = input.review.object
+    contains_kind(kind, kinds) {
+      kinds[_] = kind
+    }
+    isExcludedNamespace = true {
+    	controller_input.metadata.namespace
+    	controller_input.metadata.namespace in exclude_namespaces
+    } else = false
diff --git a/test/integration/data/state/policyconfigs.yaml b/test/integration/data/state/policyconfigs.yaml
new file mode 100644
index 00000000..34b623b1
--- /dev/null
+++ b/test/integration/data/state/policyconfigs.yaml
@@ -0,0 +1,62 @@
+apiVersion: pac.weave.works/v2beta2
+kind: PolicyConfig
+metadata:
+  name: namespace-config
+spec:
+  match:
+    namespaces:
+    - default
+  config:
+    weave.policies.containers-minimum-replica-count:
+      parameters:
+        replica_count: 3
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: PolicyConfig
+metadata:
+  name: helm-app-config
+spec:
+  match:
+    apps:
+    - kind: HelmRelease
+      name: helm-app
+      namespace: flux-system
+  config:
+    weave.policies.containers-minimum-replica-count:
+      parameters:
+        replica_count: 4
+
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: PolicyConfig
+metadata:
+  name: kustomize-app-config
+spec:
+  match:
+    apps:
+    - kind: Kustomization
+      name: kustomize-app
+      namespace: flux-system
+  config:
+    weave.policies.containers-minimum-replica-count:
+      parameters:
+        replica_count: 5
+
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: PolicyConfig
+metadata:
+  name: resource-config
+spec:
+  match:
+    resources:
+    - kind: Deployment
+      name: test-deployment
+      namespace: default
+  config:
+    weave.policies.containers-minimum-replica-count:
+      parameters:
+        replica_count: 6
diff --git a/test/integration/data/state/policysets.yaml b/test/integration/data/state/policysets.yaml
new file mode 100644
index 00000000..c1a54646
--- /dev/null
+++ b/test/integration/data/state/policysets.yaml
@@ -0,0 +1,23 @@
+apiVersion: pac.weave.works/v2beta2
+kind: PolicySet
+metadata:
+  name: admission-set
+spec:
+  mode: admission
+  filters:
+    ids:
+    - weave.policies.containers-minimum-replica-count
+    - weave.policies.containers-running-in-privileged-mode
+
+---
+
+apiVersion: pac.weave.works/v2beta2
+kind: PolicySet
+metadata:
+  name: audit-set
+spec:
+  mode: audit
+  filters:
+    ids:
+    - weave.policies.missing-owner-label
+    - weave.policies.containers-running-in-privileged-mode
diff --git a/test/integration/data/values.yaml b/test/integration/data/values.yaml
new file mode 100644
index 00000000..bc132ab9
--- /dev/null
+++ b/test/integration/data/values.yaml
@@ -0,0 +1,6 @@
+config:
+  audit:
+    enabled: true
+    sinks:
+      k8sEventsSink:
+        enabled: true
diff --git a/test/integration/deploy.sh b/test/integration/deploy.sh
new file mode 100644
index 00000000..065ce6e6
--- /dev/null
+++ b/test/integration/deploy.sh
@@ -0,0 +1,22 @@
+echo "[*] Creating test cluster ..."
+kind delete cluster --name test
+kind create cluster --name test
+
+kind load docker-image weaveworks/policy-agent:${VERSION} --name test
+
+kubectl create namespace flux-system
+
+echo "[*] Installing cert-manager ..."
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true --wait --timeout 120s
+
+echo "[*] Apply test resources ..."
+kubectl apply -f data/resources/audit_test_resources.yaml
+kubectl apply -f ../../helm/crds
+
+echo "[*] Apply cluster resources"
+kubectl apply -f data/state
+
+echo "[*] Installing policy agent helm chart on namespace ${NAMESPACE} ..."
+helm install policy-agent ../../helm -n ${NAMESPACE} -f ../../helm/values.yaml -f data/values.yaml --create-namespace --wait --timeout 60s
diff --git a/test/integration/test_test.go b/test/integration/test_test.go
new file mode 100644
index 00000000..80acecea
--- /dev/null
+++ b/test/integration/test_test.go
@@ -0,0 +1,224 @@
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/MagalixTechnologies/policy-core/domain"
+	"github.com/stretchr/testify/assert"
+	"github.com/weaveworks/policy-agent/api/v2beta2"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const (
+	minimumReplicaCountPolicy        = "weave.policies.containers-minimum-replica-count"
+	containersInPrivilegedModePolicy = "weave.policies.containers-running-in-privileged-mode"
+	missingOwnerLabelPolicy          = "weave.policies.missing-owner-label"
+)
+
+func TestIntegration(t *testing.T) {
+	homeDir, err := os.UserHomeDir()
+	assert.Nil(t, err)
+
+	kubeConfigPath := filepath.Join(homeDir, ".kube", "config")
+	config, err := clientcmd.BuildConfigFromFlags("", kubeConfigPath)
+	if err != nil {
+		panic(err)
+	}
+
+	cl, err := client.New(config, client.Options{})
+	if err != nil {
+		panic(err)
+	}
+
+	v2beta2.AddToScheme(cl.Scheme())
+
+	ctx := context.Background()
+
+	t.Run("check policies modes are correct", func(t *testing.T) {
+		modes := map[string][]string{
+			minimumReplicaCountPolicy:        {"admission"},
+			containersInPrivilegedModePolicy: {"admission", "audit"},
+			missingOwnerLabelPolicy:          {"audit"},
+		}
+
+		policies, err := listPolicies(ctx, cl)
+		assert.Nil(t, err)
+
+		assert.Equal(t, len(policies.Items), 3)
+
+		for _, policy := range policies.Items {
+			assert.ElementsMatch(t, modes[policy.GetName()], policy.Status.Modes)
+		}
+	})
+
+	t.Run("check audit results", func(t *testing.T) {
+		opts := []client.ListOption{
+			client.MatchingFields{
+				"reason":                   "PolicyViolation",
+				"involvedObject.namespace": "default",
+			},
+			client.MatchingLabels{domain.PolicyValidationTypeLabel: "Audit"},
+		}
+
+		events, err := listViolationEvents(ctx, cl, opts)
+		assert.Nil(t, err)
+
+		assert.Equal(t, len(events.Items), 4)
+
+		expected := map[string]int{
+			missingOwnerLabelPolicy:          2,
+			containersInPrivilegedModePolicy: 2,
+		}
+
+		actual := map[string]int{}
+		for i := range events.Items {
+			actual[events.Items[i].Related.Name]++
+		}
+		assert.ObjectsAreEqual(expected, actual)
+	})
+
+	t.Run("check admission results", func(t *testing.T) {
+		err := kubectl("apply", "-f", "data/resources/admission_test_resources.yaml")
+		assert.NotNil(t, err)
+
+		time.Sleep(2 * time.Second)
+
+		opts := []client.ListOption{
+			client.MatchingFields{
+				"reason": "PolicyViolation",
+			},
+			client.MatchingLabels{domain.PolicyValidationTypeLabel: "Admission"},
+		}
+
+		events, err := listViolationEvents(ctx, cl, opts)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		assert.Equal(t, 8, len(events.Items))
+
+		expected := map[string]struct {
+			value     float64
+			configRef string
+		}{
+			"orphan-deployment/default": {value: 3, configRef: "namespace-config"},
+			"helm-app/flux-system":      {value: 4, configRef: "helm-app-config"},
+			"kustomize-app/flux-system": {value: 5, configRef: "kustomize-app-config"},
+			"test-deployment/default":   {value: 6, configRef: "resource-config"},
+		}
+
+		for i := range events.Items {
+			result, err := domain.NewPolicyValidationFRomK8sEvent(&events.Items[i])
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if result.Policy.ID != minimumReplicaCountPolicy {
+				continue
+			}
+
+			key := fmt.Sprintf("%s/%s", result.Entity.Name, result.Entity.Namespace)
+
+			var value interface{}
+			var configRef string
+
+			for _, parameter := range result.Policy.Parameters {
+				if parameter.Name == "replica_count" {
+					value = parameter.Value
+					configRef = parameter.ConfigRef
+				}
+				break
+			}
+
+			assert.Equal(t, expected[key].value, value)
+			assert.Equal(t, expected[key].configRef, configRef)
+		}
+	})
+
+	t.Run("create conflicting policy configs", func(t *testing.T) {
+		configs := []v2beta2.PolicyConfig{
+			{
+				TypeMeta: v1.TypeMeta{
+					APIVersion: v2beta2.GroupVersion.Identifier(),
+					Kind:       v2beta2.PolicyConfigKind,
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name: "namespace-config-conflict",
+				},
+				Spec: v2beta2.PolicyConfigSpec{
+					Match: v2beta2.PolicyConfigTarget{
+						Namespaces: []string{"default"},
+					},
+					Config: map[string]v2beta2.PolicyConfigConfig{
+						minimumReplicaCountPolicy: {
+							Parameters: map[string]apiextensionsv1.JSON{},
+						},
+					},
+				},
+			},
+			{
+				TypeMeta: v1.TypeMeta{
+					APIVersion: v2beta2.GroupVersion.Identifier(),
+					Kind:       v2beta2.PolicyConfigKind,
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name: "app-config-conflict",
+				},
+				Spec: v2beta2.PolicyConfigSpec{
+					Match: v2beta2.PolicyConfigTarget{
+						Applications: []v2beta2.PolicyTargetApplication{
+							{
+								Kind:      "HelmRelease",
+								Name:      "helm-app",
+								Namespace: "flux-system",
+							},
+						},
+					},
+					Config: map[string]v2beta2.PolicyConfigConfig{
+						minimumReplicaCountPolicy: {
+							Parameters: map[string]apiextensionsv1.JSON{},
+						},
+					},
+				},
+			},
+			{
+				TypeMeta: v1.TypeMeta{
+					APIVersion: v2beta2.GroupVersion.Identifier(),
+					Kind:       v2beta2.PolicyConfigKind,
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name: "resource-config-conflict",
+				},
+				Spec: v2beta2.PolicyConfigSpec{
+					Match: v2beta2.PolicyConfigTarget{
+						Resources: []v2beta2.PolicyTargetResource{
+							{
+								Kind:      "Deployment",
+								Name:      "test-deployment",
+								Namespace: "default",
+							},
+						},
+					},
+					Config: map[string]v2beta2.PolicyConfigConfig{
+						minimumReplicaCountPolicy: {
+							Parameters: map[string]apiextensionsv1.JSON{},
+						},
+					},
+				},
+			},
+		}
+		for i := range configs {
+			err := cl.Create(ctx, &configs[i])
+			assert.NotNil(t, err, "expected an error when trying to create config %s", configs[i].Name)
+		}
+	})
+}
diff --git a/test/integration/test_utils.go b/test/integration/test_utils.go
new file mode 100644
index 00000000..46cf4dde
--- /dev/null
+++ b/test/integration/test_utils.go
@@ -0,0 +1,34 @@
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+
+	v2beta2 "github.com/weaveworks/policy-agent/api/v2beta2"
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func kubectl(args ...string) error {
+	cmd := exec.Command("kubectl", args...)
+	stdout, err := cmd.Output()
+	fmt.Println(string(stdout))
+	return err
+}
+
+func listPolicies(ctx context.Context, c client.Client) (*v2beta2.PolicyList, error) {
+	var policies v2beta2.PolicyList
+	if err := c.List(ctx, &policies); err != nil {
+		return nil, err
+	}
+	return &policies, nil
+}
+
+func listViolationEvents(ctx context.Context, c client.Client, opts []client.ListOption) (*v1.EventList, error) {
+	var events v1.EventList
+	if err := c.List(ctx, &events, opts...); err != nil {
+		return nil, err
+	}
+	return &events, nil
+}