Enable the PolicyException feature in Kyverno if it is not enabled by default for your version; check the Kyverno configuration or Helm values for the enablePolicyException flag (verify against current docs).
Write a PolicyException manifest specifying exceptions.policyName matching the ClusterPolicy or Policy name and exceptions.rules listing the rule names to exempt.
In the match block of the PolicyException, specify the resource kind, name, and namespace of the workload to exempt using the same syntax as Kyverno match blocks.
Apply the PolicyException in the same namespace as the workload (namespace-scoped PolicyExceptions) or cluster-wide (ClusterPolicyException if supported); verify the workload can now be admitted.
Audit PolicyExceptions regularly; they should be time-limited or tied to a tracked issue so exemptions do not become permanent workarounds.
Known gotchas
PolicyExceptions are scoped to specific rules within a policy, not the entire policy; you must list each rule name individually, which means you need to know the exact rule names from the ClusterPolicy spec.
In some Kyverno versions the PolicyException feature must be explicitly enabled and may be behind a feature flag; check release notes for the version you are running.
A PolicyException that is too broadly matched (e.g., matching all pods in a namespace) can inadvertently exempt unintended resources; use the most specific match criteria possible.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp