Ensure you are running a Kyverno version that supports CEL-based validate rules; check the changelog for the version that introduced cel in validate rules.
In the validate rule, use the validate.cel block instead of validate.pattern or validate.deny; write CEL expressions that evaluate to true when the resource is compliant.
Use CEL's object model to traverse the admission request object (e.g., object.spec.containers.all(c, has(c.resources))) and return a bool from each expression.
Add a message field alongside each expression so admission denials include a human-readable explanation.
Test CEL rules with the Kyverno CLI (kyverno test) by providing resource manifests and verifying expected pass/fail outcomes.
Known gotchas
CEL in Kyverno uses the Kubernetes CEL library (the same one used by ValidatingAdmissionPolicy), so functions available in standard CEL may not all be available; verify function availability in current Kyverno docs.
CEL expressions in Kyverno validate rules are evaluated against the full admission request object, not just the resource; use object to reference the resource, not request.object, unless the Kyverno version maps them the same way.
CEL is strongly typed; attempting to access a field that may not exist without a has() guard will cause a runtime error rather than a false result — always guard optional fields.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp