Create a `ClusterPolicy` manifest with `apiVersion: kyverno.io/v1` and a rule with `match.any` selecting Deployments
Set `spec.rules[].validate.message` with a human-readable failure message
Use `spec.rules[].validate.pattern` with deny conditions checking `spec.template.spec.containers[].resources.requests` and `.limits` are not empty
Set `spec.validationFailureAction: Enforce` to block non-compliant resources; use `Audit` first to assess impact
Apply the policy and run `kyverno test` with a test manifest to verify pass and fail cases before deployment
Known gotchas
Kyverno webhook scope is all namespaces by default; explicitly exclude `kube-system` and other system namespaces via `exclude` rules to prevent cluster breakage on install
`validationFailureAction: Enforce` immediately blocks existing CI pipelines that don't set resource limits — always roll out in `Audit` mode first and review the policy report
Kyverno policy reports are stored as CRDs (`PolicyReport`, `ClusterPolicyReport`); without monitoring these, violations in Audit mode are invisible
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp