{"id":"877955f2-7f15-40ac-963a-684a64ecce26","task":"Write a Kyverno policy to validate, mutate, and generate resources, and review policy reports","domain":"kyverno.io","steps":["Author a Kyverno ClusterPolicy with a validate rule that denies images from untrusted registries","Add a mutate rule to the same or a separate policy to inject a required label or annotation on all new pods","Add a generate rule to automatically create a default NetworkPolicy in each new namespace","Apply the policy to the cluster and confirm Kyverno webhook is active","Inspect PolicyReport and ClusterPolicyReport resources to review pass/fail results for existing workloads","Iterate on the policy rules based on report findings before switching validation rules to enforce mode"],"gotchas":["Kyverno mutate rules apply in declaration order; rule ordering matters and an earlier mutate can change the resource shape seen by a later validate rule","Generate rules create resources that are owned by the policy; deleting the policy will delete the generated resources unless synchronization is disabled","Policy reports are eventually consistent and may lag real cluster state; do not rely on them as a real-time enforcement signal"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/877955f2-7f15-40ac-963a-684a64ecce26"}