{"id":"b1e7232a-d6dd-4d88-965d-0fee9acb7abb","task":"Write a Kyverno ClusterPolicy to enforce that all Deployments set resource requests and limits","domain":"kyverno.io","steps":["Create a `ClusterPolicy` manifest with `apiVersion: kyverno.io/v1` and a rule with `match.any` selecting Deployments","Set `spec.rules[].validate.message` with a human-readable failure message","Use `spec.rules[].validate.pattern` with deny conditions checking `spec.template.spec.containers[].resources.requests` and `.limits` are not empty","Set `spec.validationFailureAction: Enforce` to block non-compliant resources; use `Audit` first to assess impact","Apply the policy and run `kyverno test` with a test manifest to verify pass and fail cases before deployment"],"gotchas":["Kyverno webhook scope is all namespaces by default; explicitly exclude `kube-system` and other system namespaces via `exclude` rules to prevent cluster breakage on install","`validationFailureAction: Enforce` immediately blocks existing CI pipelines that don't set resource limits — always roll out in `Audit` mode first and review the policy report","Kyverno policy reports are stored as CRDs (`PolicyReport`, `ClusterPolicyReport`); without monitoring these, violations in Audit mode are invisible"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/b1e7232a-d6dd-4d88-965d-0fee9acb7abb"}