{"id":"4e515a97-b9f9-4d31-abd8-941950917e2d","task":"Configure a Kyverno generate policy to automatically create a default NetworkPolicy and ConfigMap when a new namespace is created","domain":"security/compliance","steps":["Write a ClusterPolicy with a generate rule that matches on namespace creation; in the generate.spec block, define the resource kind, name, namespace, and data for the NetworkPolicy to be created.","Set generate.synchronize to true so Kyverno keeps the generated resource in sync with the policy definition; updates to the ClusterPolicy will propagate to existing generated resources.","Add a second generate rule in the same ClusterPolicy (or a separate rule) targeting ConfigMap creation with the desired data.","Apply the ClusterPolicy and create a test namespace; verify that the NetworkPolicy and ConfigMap appear in the new namespace.","Check the UpdateRequest CRD resources that Kyverno creates as intermediate state for generate operations to debug failures when generated resources do not appear."],"gotchas":["With synchronize: true, manual edits to generated resources are overwritten by Kyverno; communicate this to operators so they edit the ClusterPolicy rather than the generated resource.","Generate rules require the Kyverno service account to have RBAC permission to create the target resource types; missing RBAC causes silent UpdateRequest failures rather than a policy admission error.","Kyverno does not retroactively generate resources for namespaces that existed before the policy was applied; use the Kyverno CLI or a one-time Job to backfill existing namespaces."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/4e515a97-b9f9-4d31-abd8-941950917e2d"}