> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Section Introduction

> Explains Kyverno generate rules to automatically create or clone NetworkPolicies, Roles, and other resources for new and existing Kubernetes Namespaces.

Previously, our platform engineer Alex used Kyverno to bring order to his Kubernetes clusters. He started with validate rules to act as a gatekeeper, ensuring incoming resources met organizational standards. Then he applied mutate rules to inject labels and defaults automatically. Both helped enforce consistency, but a new requirement calls for automatically *creating* resources — a job for Kyverno generate rules.

In this lesson we’ll introduce Kyverno generate rules, which create new resources in response to triggers (for example, when a Namespace is created). We’ll follow Alex’s real-world problem to explain why generate rules are the right approach and how to use them effectively.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/hJh5x-qVKKdv5wHs/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/security-mandate-namespace-deny-all-policy.jpg?fit=max&auto=format&n=hJh5x-qVKKdv5wHs&q=85&s=fcead889cb1bc06048a6074212a60916" alt="The image outlines a new security mandate requiring each namespace to include a default &#x22;deny-all&#x22; NetworkPolicy and a standard role for the CI/CD system. It also mentions Alex, who is currently applying these manually." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/security-mandate-namespace-deny-all-policy.jpg" />
</Frame>

Alex’s organization introduced a security mandate: every new Namespace must include a default “deny-all” NetworkPolicy and a standard Role used by their CI/CD pipeline. These are sensible security controls, but Alex has been creating them manually.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/hJh5x-qVKKdv5wHs/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/alex-manual-processes-challenge-outline.jpg?fit=max&auto=format&n=hJh5x-qVKKdv5wHs&q=85&s=432c712f96cacdb93c3392c1b0445d3f" alt="The image outlines a challenge faced by Alex regarding manual processes, highlighting issues of being slow, repetitive, and creating a security risk." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/alex-manual-processes-challenge-outline.jpg" />
</Frame>

Manually watching for Namespace creation and then creating NetworkPolicies and Roles is slow, repetitive, and error-prone. If Alex is busy or forgets, a Namespace could remain unsecured. A validate rule would simply block Namespace creation until the required resources exist — which is not the intended outcome. A mutate rule can only modify the incoming Namespace object; it cannot create separate resources such as a NetworkPolicy or a Role.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/hJh5x-qVKKdv5wHs/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/alex-namespace-resource-creation-challenge.jpg?fit=max&auto=format&n=hJh5x-qVKKdv5wHs&q=85&s=f820870953e4030e7d71443b720255bd" alt="The image presents a challenge faced by Alex who is wondering how to automatically create standard resources when a new namespace is created, considering existing rules block certain actions." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/alex-namespace-resource-creation-challenge.jpg" />
</Frame>

The question becomes: how can Alex automate creation of resources when a trigger occurs (for example, on Namespace creation) so that every Namespace automatically receives the mandated NetworkPolicy and Role? Kyverno generate rules solve exactly this problem.

<Callout icon="lightbulb" color="#1CB2FE">
  Generate rules let Kyverno create new resources in response to events (like a Namespace creation). This is different from:

  * `validate` rules (which block or allow requests), and
  * `mutate` rules (which modify the incoming resource).
    Use `generate` when you need Kyverno to produce a separate resource (e.g., a NetworkPolicy, Role, Secret).
</Callout>

This lesson will cover four core generate-rule concepts Alex needs:

| Concept                     | Purpose                                                                                                  | When to use                                                                                                           |
| --------------------------- | -------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| Data source generation      | Embed the full YAML manifest inside the policy and generate the resource from that manifest              | When you want Kyverno to create a templated resource (e.g., a standard NetworkPolicy) that isn’t stored anywhere else |
| Clone source                | Use a centrally managed “golden” resource (ConfigMap, Secret) as the source to clone into new Namespaces | When multiple Namespaces need the same configuration from a single source of truth                                    |
| cloneList                   | Combine multiple clone operations in a single rule to clone a set of resources at once                   | When you need to populate a new Namespace with several standard resources in one action                               |
| Apply to existing resources | Run generate rules against already-created Namespaces to bring them into compliance                      | When you want to retroactively ensure all Namespaces have the required resources, not just newly created ones         |

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/hJh5x-qVKKdv5wHs/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/what-well-learn-infographic-brain-topics.jpg?fit=max&auto=format&n=hJh5x-qVKKdv5wHs&q=85&s=f0a7caf915be9ab3664aa9945e647d3d" alt="The image is an infographic titled &#x22;What We'll Learn,&#x22; featuring a stylized brain in the center and four topics related to resource generation and cloning in IT, arranged around the brain." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Generate-Rules/Section-Introduction/what-well-learn-infographic-brain-topics.jpg" />
</Frame>

Below is a minimal, illustrative example of a Kyverno ClusterPolicy that uses a generate rule to create a `NetworkPolicy` when a `Namespace` is created. This example is simplified to show the structure:

```yaml theme={null}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-deny-all-networkpolicy
spec:
  rules:
  - name: gen-deny-all
    match:
      resources:
        kinds:
        - Namespace
    generate:
      kind: NetworkPolicy
      name: deny-all
      clone:
        # one option: embed the resource manifest directly (data source)
        apiVersion: networking.k8s.io/v1
        kind: NetworkPolicy
        metadata:
          name: deny-all
        spec:
          podSelector: {}
          policyTypes:
          - Ingress
          - Egress
```

Note: The `generate` block supports different patterns — embedding a manifest, cloning a named resource, or using `cloneList` to clone multiple resources. In later sections we’ll show concrete examples for each pattern, plus how to configure generation for existing Namespaces.

<Callout icon="warning" color="#FF6B6B">
  Avoid using `validate` to enforce presence of resources that Kyverno can generate. Blocking Namespace creation is disruptive; instead, prefer `generate` to create required resources automatically or combine `generate` with monitoring policies to detect missing resources.
</Callout>

By the end of this lesson you will be able to:

* Automatically create NetworkPolicies, Roles, and other resources when Namespaces are created.
* Clone centrally managed “golden” resources into multiple Namespaces.
* Use `cloneList` to bundle multiple clone operations.
* Apply generation rules to existing Namespaces to bring the cluster into compliance.

Links and references:

* Kyverno generate rules — [https://kyverno.io/docs](https://kyverno.io/docs) (see "Generate" section)
* Kubernetes Namespaces — [https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
* Best practices for NetworkPolicy — [https://kubernetes.io/docs/concepts/services-networking/network-policies/](https://kubernetes.io/docs/concepts/services-networking/network-policies/)

<CardGroup>
  <Card title="Watch Video" icon="video" cta="Learn more" href="https://learn.kodekloud.com/user/courses/kyverno-certified-associate/module/9024a647-736d-4de4-8b1a-d0efe638df18/lesson/04edd90e-9239-4643-b7f2-63bb031a5b0f" />
</CardGroup>
