name	kyverno-basics
description	Install Kyverno, create validation policies, and understand audit vs enforce modes for Kubernetes admission control.

Kyverno Basics

When to Use This Skill

Kyverno runs as a dynamic admission controller in Kubernetes. It validates, mutates, and generates resources based on policies written in YAML.

Implementation

Install Kyverno using Helm:

See examples.md for detailed code examples.

Kyverno creates webhook configurations that intercept resource creation/updates before they reach etcd.

Comparison

Roll out policies in audit mode first:

spec:
  validationFailureAction: Audit  # Log violations, don't block

Check logs for violations:

kubectl get policyreport -A

NAMESPACE   NAME                          PASS   FAIL   WARN   ERROR   SKIP
default     polr-ns-default              12     3      0      0       0
production  polr-ns-production           45     1      0      0       0

Fix violations. Then switch to Enforce:

spec:
  validationFailureAction: Enforce  # Block violations

Gradual Rollout Strategy

Deploy policy in Audit mode
Monitor PolicyReports for 1 week
Remediate failures
Switch to Enforce mode
Handle exceptions with exclusions

Don't deploy straight to Enforce. Discover violations first.

Examples

See examples.md for code examples.

Related Patterns

Policy Patterns
Testing and Exceptions
CI/CD Integration

kyverno-basics

Install Skill

SKILL.md