Author a `ClusterPolicy` (or `MutatingPolicy` if using Kyverno 1.17+ CEL APIs) with `spec.rules[].mutate.patchStrategicMerge` targeting `Deployment` resources in all namespaces.
Use a `patchStrategicMerge` patch or a `foreach` loop with `patchesJson6902` to add annotations or inject default resource limits when they are absent.
Set `spec.rules[].match.any[].resources.kinds: [Deployment]` and `spec.rules[].mutate.patchStrategicMerge` to add the annotation key conditionally using `+(key): value` syntax (the `+` prefix is a Kyverno strategic merge addition anchor).
Test the mutation locally with `kyverno apply policy.yaml --resource deployment.yaml` and inspect the mutated output.
Deploy the policy to the cluster and verify by creating a test Deployment without the target annotation; `kubectl describe` should show the annotation injected by Kyverno.
Use `spec.failureAction` is not applicable for mutate rules; ensure the admission webhook is healthy by checking Kyverno pod logs.
Known gotchas
Kyverno mutate policies run as a mutating admission webhook; they only fire on CREATE and UPDATE operations unless `mutateExistingOnPolicyUpdate: true` is set.
The `+(key): value` strategic merge anchor adds the field only if it does not already exist; using `key: value` without the anchor would overwrite existing values.
Mutating policies do not support `foreach` over nested arrays in all Kyverno versions; check the changelog for the installed version before using complex foreach patterns.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp