You may start building a policy after selecting

Build + Runtime(deployment)

Deploy + Runtime(deployment){}

Build + Deploy + Runtime(deployment){}

But you are only presented with Build phase criteria to choose from. Then when you try to save the policy, ACS complains that you have no runtime criteria.

In those cases if you select Runtime(audit log) you are presented with no criteria whatsoever

For discussion with ksanchet :

I believe we want to treat any policy with a runtime control as primarily a runtime policy, which means it should not trigger a violation if none of the runtime criteria have failed. This is a crucial assumption because when enforced, the pod would be killed. If there was nothing wrong with the pod, say only the image fails the policy after a new CVE was discovered, then the new pod would be immediately in violation sending the deployment into a downtime loop.

With that said,  it seems the combinations listed above would serve no purpose.You gain access to all the criteria in a runtime policy but you must use at least one runtime criterion. So I think we can simply block these illogical options in the UI.

Yet my reasoning should be investigated by engineering while addressing this bug in case I misunderstand something.