Write a ClusterPolicy with a generate rule that matches on namespace creation; in the generate.spec block, define the resource kind, name, namespace, and data for the NetworkPolicy to be created.
Set generate.synchronize to true so Kyverno keeps the generated resource in sync with the policy definition; updates to the ClusterPolicy will propagate to existing generated resources.
Add a second generate rule in the same ClusterPolicy (or a separate rule) targeting ConfigMap creation with the desired data.
Apply the ClusterPolicy and create a test namespace; verify that the NetworkPolicy and ConfigMap appear in the new namespace.
Check the UpdateRequest CRD resources that Kyverno creates as intermediate state for generate operations to debug failures when generated resources do not appear.
Known gotchas
With synchronize: true, manual edits to generated resources are overwritten by Kyverno; communicate this to operators so they edit the ClusterPolicy rather than the generated resource.
Generate rules require the Kyverno service account to have RBAC permission to create the target resource types; missing RBAC causes silent UpdateRequest failures rather than a policy admission error.
Kyverno does not retroactively generate resources for namespaces that existed before the policy was applied; use the Kyverno CLI or a one-time Job to backfill existing namespaces.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp