{"id":"ddeb365e-7256-4c3c-82dc-43f45837f76d","task":"Author a Kyverno ClusterPolicy with mutate rules to inject resource limits and requests on pods that omit them, and validate the policy with Kyverno CLI test cases","domain":"kyverno.io","steps":["Write a Kyverno ClusterPolicy with a mutate rule targeting pods that have containers without resource limits or requests, using a precondition to skip containers that already have them set","Define the mutation using a patchStrategicMerge or foreach construct to add default CPU and memory requests and limits to each container in the pod spec","Create a Kyverno CLI test directory with a kyverno-test.yaml file listing test cases that reference sample pod manifests and assert the expected mutated output","Run kyverno test against the test directory to validate that the policy produces the expected mutations without errors","Apply the ClusterPolicy to a non-production cluster and verify that pods submitted without resource constraints receive the injected defaults in their admitted spec"],"gotchas":["Kyverno mutate rules run before the pod is persisted; if the injected values violate a LimitRange in the namespace, the pod will still be rejected by the LimitRange admission controller after mutation, causing a confusing error that appears unrelated to the policy","The foreach construct in Kyverno policies iterates over a list and requires careful use of the element variable; referencing the wrong path inside foreach silently skips the mutation for affected containers","Kyverno CLI test uses its own resource loading logic and may produce different results from live cluster behavior for policies that reference ConfigMap context or external data sources; always do live cluster validation for policies with external data dependencies"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/ddeb365e-7256-4c3c-82dc-43f45837f76d"}