Write a ClusterPolicy with a generate rule whose match block targets Namespace resources on CREATE operations.
Under generate, specify apiVersion, kind (e.g., NetworkPolicy), name, and namespace using the Jinja-style variable {{request.object.metadata.name}} to reference the triggering namespace.
Set generate.synchronize: true so Kyverno keeps the generated resource in sync with the policy definition; removing or editing the policy cascades the change to generated resources.
Optionally use generate.clone to copy an existing resource (such as a Secret) from a source namespace rather than defining it inline.
Apply the ClusterPolicy and create a test namespace; verify the generated resource appears with kubectl get networkpolicy -n <new-namespace>.
For Kyverno 1.16 and later, note that GeneratingPolicy is a distinct resource type from ClusterPolicy; use the appropriate kind for your version.
Known gotchas
If synchronize is false, the generated resource becomes orphaned and Kyverno will not update or delete it when the policy changes.
Generating into the same namespace as the trigger (the newly created namespace) requires the policy to have appropriate RBAC permissions for that resource type in all namespaces.
PolicyExceptions are disabled by default and require setting the enablePolicyException flag and an exceptionNamespace; without this, there is no way to exempt specific namespaces from the generate rule.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp