Install the Kyverno CLI via `brew install kyverno` or the official release binary; verify with `kyverno version`.
Create a `tests/` directory containing: the policy YAML file, sample resource YAML files (compliant and non-compliant), and a `kyverno-test.yaml` manifest.
In `kyverno-test.yaml` define the `policies` list pointing to the policy file, `resources` list pointing to sample resource files, and `results` list declaring expected `pass` or `fail` outcomes per policy-rule-resource combination.
Run `kyverno test tests/` from the repo root; the CLI compares declared results to actual evaluations and exits non-zero if any result mismatches.
Add the `kyverno test` step to CI (GitHub Actions, GitLab CI, etc.) before any cluster deployment step to catch policy logic errors in the PR review phase.
Use `kyverno test tests/ -v 5` for verbose output that shows per-rule evaluation details when debugging failing tests.
Known gotchas
The `kyverno-test.yaml` result entries reference the policy name, rule name, and resource name exactly; a typo in any of these fields causes the test framework to report a mismatch rather than a lookup error.
`kyverno test` evaluates policies against static resource manifests without a running cluster; it does not simulate webhook behavior such as defaulting or admission chain effects.
Mutate rules can be tested with `kyverno test` by declaring a `patchedResource` expected output file in the test manifest and comparing the actual patched output.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp