Enable PolicyExceptions in the Kyverno Helm values by setting features.policyExceptions.enabled: true and setting features.policyExceptions.namespace to the namespace where exceptions are allowed.
Create a PolicyException resource with apiVersion: kyverno.io/v2beta1, kind: PolicyException in the permitted namespace.
In spec.exceptions, list the policy name and the specific rule names to exempt; in spec.match, define the resource kinds, namespace, and name patterns that should be exempt.
Optionally set spec.conditions using CEL expressions (Kyverno 1.14+) for finer-grained exemption logic beyond simple name matching.
Apply the PolicyException and trigger a resource that would normally be denied; confirm the policy report shows skip or pass rather than fail.
Set reportResult: pass in the exception spec (Kyverno 1.16+) to have policy reports show pass instead of skip, improving SLO dashboards during planned waivers.
Known gotchas
PolicyExceptions are namespaced resources; the exceptionNamespace flag restricts which namespace exceptions are read from, so exceptions created in other namespaces are silently ignored.
PolicyExceptions only work for validate rules by default; verify your Kyverno version supports exceptions for mutate or generate rules before relying on them.
The exceptions list matches by policy tag (the metadata.name of the policy) not the UID; renaming a policy invalidates all existing exceptions referencing the old name.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp