Author a Kyverno ClusterPolicy with a validate rule that denies images from untrusted registries
Add a mutate rule to the same or a separate policy to inject a required label or annotation on all new pods
Add a generate rule to automatically create a default NetworkPolicy in each new namespace
Apply the policy to the cluster and confirm Kyverno webhook is active
Inspect PolicyReport and ClusterPolicyReport resources to review pass/fail results for existing workloads
Iterate on the policy rules based on report findings before switching validation rules to enforce mode
Known gotchas
Kyverno mutate rules apply in declaration order; rule ordering matters and an earlier mutate can change the resource shape seen by a later validate rule
Generate rules create resources that are owned by the policy; deleting the policy will delete the generated resources unless synchronization is disabled
Policy reports are eventually consistent and may lag real cluster state; do not rely on them as a real-time enforcement signal
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp