Skip to main content
Previously, our platform engineer Alex used Kyverno to bring order to his Kubernetes clusters. He started with validate rules to act as a gatekeeper, ensuring incoming resources met organizational standards. Then he applied mutate rules to inject labels and defaults automatically. Both helped enforce consistency, but a new requirement calls for automatically creating resources — a job for Kyverno generate rules. In this lesson we’ll introduce Kyverno generate rules, which create new resources in response to triggers (for example, when a Namespace is created). We’ll follow Alex’s real-world problem to explain why generate rules are the right approach and how to use them effectively.
The image outlines a new security mandate requiring each namespace to include a default "deny-all" NetworkPolicy and a standard role for the CI/CD system. It also mentions Alex, who is currently applying these manually.
Alex’s organization introduced a security mandate: every new Namespace must include a default “deny-all” NetworkPolicy and a standard Role used by their CI/CD pipeline. These are sensible security controls, but Alex has been creating them manually.
The image outlines a challenge faced by Alex regarding manual processes, highlighting issues of being slow, repetitive, and creating a security risk.
Manually watching for Namespace creation and then creating NetworkPolicies and Roles is slow, repetitive, and error-prone. If Alex is busy or forgets, a Namespace could remain unsecured. A validate rule would simply block Namespace creation until the required resources exist — which is not the intended outcome. A mutate rule can only modify the incoming Namespace object; it cannot create separate resources such as a NetworkPolicy or a Role.
The image presents a challenge faced by Alex who is wondering how to automatically create standard resources when a new namespace is created, considering existing rules block certain actions.
The question becomes: how can Alex automate creation of resources when a trigger occurs (for example, on Namespace creation) so that every Namespace automatically receives the mandated NetworkPolicy and Role? Kyverno generate rules solve exactly this problem.
Generate rules let Kyverno create new resources in response to events (like a Namespace creation). This is different from:
  • validate rules (which block or allow requests), and
  • mutate rules (which modify the incoming resource). Use generate when you need Kyverno to produce a separate resource (e.g., a NetworkPolicy, Role, Secret).
This lesson will cover four core generate-rule concepts Alex needs:
The image is an infographic titled "What We'll Learn," featuring a stylized brain in the center and four topics related to resource generation and cloning in IT, arranged around the brain.
Below is a minimal, illustrative example of a Kyverno ClusterPolicy that uses a generate rule to create a NetworkPolicy when a Namespace is created. This example is simplified to show the structure:
Note: The generate block supports different patterns — embedding a manifest, cloning a named resource, or using cloneList to clone multiple resources. In later sections we’ll show concrete examples for each pattern, plus how to configure generation for existing Namespaces.
Avoid using validate to enforce presence of resources that Kyverno can generate. Blocking Namespace creation is disruptive; instead, prefer generate to create required resources automatically or combine generate with monitoring policies to detect missing resources.
By the end of this lesson you will be able to:
  • Automatically create NetworkPolicies, Roles, and other resources when Namespaces are created.
  • Clone centrally managed “golden” resources into multiple Namespaces.
  • Use cloneList to bundle multiple clone operations.
  • Apply generation rules to existing Namespaces to bring the cluster into compliance.
Links and references:

Watch Video