Overview

Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.

Instructions

Validation Policies

yaml

# Require resource limits on all containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
  annotations:
    policies.kyverno.io/title: Require Resource Limits
    policies.kyverno.io/severity: medium
spec:
  validationFailureAction: Enforce       # Block non-compliant resources
  background: true
  rules:
    - name: check-resource-limits
      match:
        any:
          - resources:
              kinds: ["Pod"]
      validate:
        message: "All containers must have CPU and memory limits set."
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    memory: "?*"
                    cpu: "?*"

---
# Disallow privileged containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged
spec:
  validationFailureAction: Enforce
  rules:
    - name: no-privileged
      match:
        any:
          - resources:
              kinds: ["Pod"]
      validate:
        message: "Privileged containers are not allowed."
        pattern:
          spec:
            containers:
              - securityContext:
                  privileged: "!true"

---
# Disallow latest tag
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
spec:
  validationFailureAction: Enforce
  rules:
    - name: no-latest
      match:
        any:
          - resources:
              kinds: ["Pod"]
      validate:
        message: "Using 'latest' tag is not allowed. Pin to a specific version."
        pattern:
          spec:
            containers:
              - image: "!*:latest"

---
# Require labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-labels
      match:
        any:
          - resources:
              kinds: ["Deployment", "StatefulSet"]
      validate:
        message: "Resources must have 'team' and 'app' labels."
        pattern:
          metadata:
            labels:
              team: "?*"
              app: "?*"

Mutation Policies

yaml

# Auto-add security defaults to all pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-security-defaults
spec:
  rules:
    - name: add-run-as-nonroot
      match:
        any:
          - resources:
              kinds: ["Pod"]
      mutate:
        patchStrategicMerge:
          spec:
            securityContext:
              runAsNonRoot: true
              seccompProfile:
                type: RuntimeDefault
            containers:
              - (name): "*"
                securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop: ["ALL"]

---
# Auto-add resource defaults if not specified
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-resources
spec:
  rules:
    - name: set-default-limits
      match:
        any:
          - resources:
              kinds: ["Pod"]
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                resources:
                  limits:
                    +(memory): "512Mi"     # + means only add if not set
                    +(cpu): "500m"
                  requests:
                    +(memory): "256Mi"
                    +(cpu): "100m"

---
# Auto-add image pull secrets
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-pull-secret
spec:
  rules:
    - name: add-registry-secret
      match:
        any:
          - resources:
              kinds: ["Pod"]
      preconditions:
        all:
          - key: "{{ request.object.spec.containers[].image }}"
            operator: AnyIn
            value: ["ghcr.io/*", "myregistry.com/*"]
      mutate:
        patchStrategicMerge:
          spec:
            imagePullSecrets:
              - name: registry-credentials

Generation Policies

yaml

# Auto-create NetworkPolicy for every new namespace
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-default-networkpolicy
spec:
  rules:
    - name: default-deny-ingress
      match:
        any:
          - resources:
              kinds: ["Namespace"]
      generate:
        synchronize: true                # Keep in sync if policy changes
        apiVersion: networking.k8s.io/v1
        kind: NetworkPolicy
        name: default-deny
        namespace: "{{ request.object.metadata.name }}"
        data:
          spec:
            podSelector: {}
            policyTypes:
              - Ingress

---
# Auto-create ResourceQuota for namespaces
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-quota
spec:
  rules:
    - name: default-quota
      match:
        any:
          - resources:
              kinds: ["Namespace"]
      exclude:
        any:
          - resources:
              namespaces: ["kube-system", "kyverno"]
      generate:
        apiVersion: v1
        kind: ResourceQuota
        name: default-quota
        namespace: "{{ request.object.metadata.name }}"
        data:
          spec:
            hard:
              requests.cpu: "4"
              requests.memory: "8Gi"
              limits.cpu: "8"
              limits.memory: "16Gi"
              pods: "50"

Verify Image Signatures

yaml

# Enforce cosign signature verification
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-images
spec:
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
    - name: verify-signature
      match:
        any:
          - resources:
              kinds: ["Pod"]
      verifyImages:
        - imageReferences:
            - "ghcr.io/myorg/*"
          attestors:
            - entries:
                - keyless:
                    subject: "https://github.com/myorg/*"
                    issuer: "https://token.actions.githubusercontent.com"
                    rekor:
                      url: "https://rekor.sigstore.dev"

Installation

bash

# Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# Install policy library
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/...

# CLI (for testing policies locally)
brew install kyverno
kyverno apply policy.yaml --resource pod.yaml

Examples

Example 1: Setting up Kyverno for a microservices project

User request:

I have a Node.js API and a React frontend running in Docker. Set up Kyverno for monitoring/deployment.

The agent creates the necessary configuration files based on patterns like # Require resource limits on all containers, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.

Example 2: Troubleshooting mutation policies issues

User request:

Kyverno is showing errors in our mutation policies. Here are the logs: [error output]

The agent analyzes the error output, identifies the root cause by cross-referencing with common Kyverno issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.

Guidelines

YAML, not Rego — Kyverno policies are pure YAML; lower barrier to entry than OPA/Gatekeeper for Kubernetes teams
Audit before enforce — Start with validationFailureAction: Audit to see violations without blocking; switch to Enforce once clean
Mutate for defaults — Use mutation policies to inject security defaults; developers don't need to remember boilerplate
Generate for consistency — Auto-create NetworkPolicies, ResourceQuotas, and RBAC for every namespace
Image verification — Enforce cosign signature verification; prevent unsigned images from running in the cluster
Policy library — Start with Kyverno's policy library (kyverno.io/policies); covers Pod Security Standards, best practices, and compliance
Test with CLI — Use kyverno apply and kyverno test locally before deploying policies to the cluster
Exceptions via annotations — Use policies.kyverno.io/exclude annotations for legitimate exceptions; document the reason

kyverno

Usage

Getting Started

Example Prompts

Documentation

Overview

Instructions

Validation Policies

Mutation Policies

Generation Policies

Verify Image Signatures

Installation

Examples

Example 1: Setting up Kyverno for a microservices project

Example 2: Troubleshooting mutation policies issues

Guidelines

Information

Use Cases