Install Kyverno using the official Helm chart or manifest; verify the kyverno namespace and admission webhook configurations are registered.
Write a ClusterPolicy with spec.validationFailureAction set to Enforce (or Audit for observe-only mode) and one or more rules with a validate block containing a pattern or deny expression.
In the match section, specify the resource kinds, API groups, and optionally namespaces or label selectors the rule applies to.
Apply the policy and test it by submitting a non-compliant resource; Kyverno should return an admission denial with the policy name and rule name in the message.
Switch to Audit mode first in production environments to collect policy reports (PolicyReport CRDs) showing violations on existing resources before switching to Enforce.
Known gotchas
Kyverno's pattern matching uses wildcards (* and ?) and anchors; the anchor syntax (^key) and conditional anchors differ from Rego and are documented in Kyverno-specific docs — verify the anchor type for your use case.
In Enforce mode a misconfigured match section can inadvertently block system namespaces; always set namespace or label exclusions for kube-system, kyverno, and other critical namespaces.
PolicyReport resources are namespace-scoped while ClusterPolicyReport is cluster-scoped; query the correct type when auditing violation counts.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp