Create a ClusterPolicy with a mutate rule; in the mutate.patchStrategicMerge block, specify the Deployment or Pod spec structure down to spec.containers with the desired limits values.
Use Kyverno's foreach loop in the mutate rule to iterate over spec.containers and apply the patch to each container element individually, which is required when the target is an array.
Set preconditions on the foreach loop to skip containers that already declare resource limits, preventing the mutation from overwriting intentional low-limit configurations.
Apply the policy in a test namespace, deploy a pod without resource limits, and inspect the resulting pod spec to confirm the defaults were injected.
Write a Kyverno CLI test (kyverno-test.yaml) with resource and policy files and expected patch output to validate the mutation offline in CI.
Known gotchas
patchStrategicMerge merges at the top level by default; to target individual containers in an array, use foreach with a list referencing request.object.spec.containers rather than attempting a top-level merge.
Mutations run before validation; if you also have a validate policy requiring limits, the validate policy will see the already-mutated object — ensure the mutated defaults satisfy the validation constraints.
The Kyverno webhook must be registered for the resource type being mutated; if the resource is created via a controller that itself creates pods, the webhook must intercept Pod creation, not only Deployment creation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp