{"id":"3421c47e-c993-4d7e-8a66-6074205706ed","task":"Write Kyverno validate rules using CEL expressions instead of pattern-based or Rego validation","domain":"security/compliance","steps":["Ensure you are running a Kyverno version that supports CEL-based validate rules; check the changelog for the version that introduced cel in validate rules.","In the validate rule, use the validate.cel block instead of validate.pattern or validate.deny; write CEL expressions that evaluate to true when the resource is compliant.","Use CEL's object model to traverse the admission request object (e.g., object.spec.containers.all(c, has(c.resources))) and return a bool from each expression.","Add a message field alongside each expression so admission denials include a human-readable explanation.","Test CEL rules with the Kyverno CLI (kyverno test) by providing resource manifests and verifying expected pass/fail outcomes."],"gotchas":["CEL in Kyverno uses the Kubernetes CEL library (the same one used by ValidatingAdmissionPolicy), so functions available in standard CEL may not all be available; verify function availability in current Kyverno docs.","CEL expressions in Kyverno validate rules are evaluated against the full admission request object, not just the resource; use object to reference the resource, not request.object, unless the Kyverno version maps them the same way.","CEL is strongly typed; attempting to access a field that may not exist without a has() guard will cause a runtime error rather than a false result — always guard optional fields."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:26.736Z"},"url":"https://mcp.waymark.network/r/3421c47e-c993-4d7e-8a66-6074205706ed"}