- What Kyverno is
- How Kyverno works inside the API server admission flow
- Example policies (validation and mutation) and a short demo workflow

Why use Kyverno?
Consider a simple Deployment manifest you might apply to a cluster:kubectl apply, Kubernetes validates manifest syntax and authorizations, but it won’t enforce organization-specific policies by default. Requiring labels, disallowing public registries, enforcing resource requests/limits, or rejecting :latest images manually is error-prone and hard to scale.
Automating policy enforcement with Kyverno ensures consistency, lowers developer feedback latency, and preserves compliance without slowing delivery.

Common policy examples
Below are typical policies organizations enforce via Kyverno:
You can adopt these examples to fit your environment (private registry prefix, minimum replicas, allowed namespaces, etc.).

Where Kyverno integrates with Kubernetes
Incoming API requests pass through authentication and authorization, then the admission controller pipeline. Admission webhooks can mutate or validate requests before objects are persisted to etcd. Kyverno runs as an admission webhook (a third-party policy agent) and can perform mutations and validations in the mutating and validating admission stages. If a request complies with Kyverno policies, the webhook allows it; otherwise it is denied or logged (depending on policy action).
Installing Kyverno
Kyverno is distributed via Helm. Installing creates the necessary CustomResourceDefinitions (CRDs) and deploys Kyverno controllers plus the admission webhook. Add the Helm repo, refresh, and inspect the chart:Policy basics (CRDs and actions)
Kyverno introduces CRDs such asClusterPolicy and Policy. Policies can:
- Validate requests (deny or audit violations).
- Mutate requests before admission.
- Generate reports.
validationFailureAction to control enforcement:
Set
validationFailureAction to Enforce to deny non-compliant requests, or Audit to allow requests but record violations for reporting.Example 1 — Require a team label on Deployments
ClusterPolicy that enforces a non-empty team label on Deployments:
matchtargets resource kinds (here:Deployment).validate.messageis returned when the rule is violated.- The pattern
team: "?*"requires a non-empty string for theteamlabel.
team label will be denied by Kyverno’s admission webhook:
labels: { team: frontend } to succeed.
Example 2 — Minimum replicas validation
Require at least 3 replicas for Deployments:spec.replicas and denies requests with replicas < 3.
Mutation example — set imagePullPolicy when image uses :latest
Kyverno can mutate incoming requests. Example: setimagePullPolicy when a container uses the :latest tag:
mutate.patchStrategicMergemerges values into the incoming object.- The special key
(image): "*:latest"matches container entries whereimageends with:latestand setsimagePullPolicy.
Demo workflow (commands)
- Install Kyverno using the Helm commands above.
- Create and apply example ClusterPolicy YAML files (labels, replicas, mutation).
- Attempt to apply Deployments/Pods that violate policies to observe Kyverno denying them.
- Switch
validationFailureActionfromAudittoEnforceafter validating policy impact.

Additional policy examples
- Deny
:latestor require an explicit tag:
- Allow only images from a private registry (example uses
kodekloud.io):
kodekloud.io/* enforces that the image string begins with the private registry prefix — replace with your registry (for example: myregistry.internal/*).
Hands-on tips
- Start with
validationFailureAction: Auditto measure impact before switching toEnforce. - For lists like
containers, Kyverno’s wildcard patterns and strategic merge keys (e.g.,(image)) let you match items by key. - Consider enabling Kyverno’s pre-configured Pod Security Standard policies to get a baseline. See Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/

Summary
Kyverno is a Kubernetes-native policy engine that integrates with the admission webhook pipeline to validate and mutate resources using native Kubernetes CRDs (ClusterPolicy and Policy). With Kyverno you can automate enforcement of labels, image registries and tags, resource constraints, replica counts, network controls, and more. Installing via Helm is simple, and Kyverno offers pre-built policy bundles for common best practices. Start with Audit mode to validate impact, then move to Enforce when ready.
Happy experimenting with Kyverno — it’s a practical way to automate policy enforcement across your cluster.