Upgrade to Kyverno 1.9 or later, which introduced PolicyException as a stable feature.
Create a manifest with `apiVersion: kyverno.io/v2` and `kind: PolicyException`.
In `spec.exceptions`, list the policy name and the specific rules to exempt under `policyName` and `ruleNames`.
In `spec.match`, define the resource selector (namespace, kind, name, or label selectors) for the workloads that should be exempted.
Apply the manifest with `kubectl apply -f` and verify the exempted workload is no longer blocked by the targeted rules.
Known gotchas
The stable `apiVersion` for PolicyException is `kyverno.io/v2`; the older `kyverno.io/v2beta1` and `kyverno.io/v2alpha1` are legacy and may be removed in future versions.
PolicyExceptions only apply to `validate` and `mutate` rules; `generate` rules cannot be exempted via PolicyException.
The PolicyException must reside in the same namespace as the workload for namespaced resources, unless Kyverno is configured to allow cross-namespace exceptions.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp