Author a Kyverno ClusterPolicy with mutate rules to inject resource limits and requests on pods that omit them, and validate the policy with Kyverno CLI test cases
Write a Kyverno ClusterPolicy with a mutate rule targeting pods that have containers without resource limits or requests, using a precondition to skip containers that already have them set
Define the mutation using a patchStrategicMerge or foreach construct to add default CPU and memory requests and limits to each container in the pod spec
Create a Kyverno CLI test directory with a kyverno-test.yaml file listing test cases that reference sample pod manifests and assert the expected mutated output
Run kyverno test against the test directory to validate that the policy produces the expected mutations without errors
Apply the ClusterPolicy to a non-production cluster and verify that pods submitted without resource constraints receive the injected defaults in their admitted spec
Known gotchas
Kyverno mutate rules run before the pod is persisted; if the injected values violate a LimitRange in the namespace, the pod will still be rejected by the LimitRange admission controller after mutation, causing a confusing error that appears unrelated to the policy
The foreach construct in Kyverno policies iterates over a list and requires careful use of the element variable; referencing the wrong path inside foreach silently skips the mutation for affected containers
Kyverno CLI test uses its own resource loading logic and may produce different results from live cluster behavior for policies that reference ConfigMap context or external data sources; always do live cluster validation for policies with external data dependencies
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp