Skip to main content
In the introduction we saw Alex’s frustration with the slow feedback loop: edit YAML, apply to a cluster, then wait to discover the resource is non-compliant. This lesson fixes that by letting you validate policies and manifests locally — fast. What is the Kyverno CLI? The Kyverno CLI is a standalone command-line tool for authoring, testing, and validating Kyverno policies and Kubernetes resources outside of a cluster. It runs the same evaluation engine as the in-cluster Kyverno admission controller, so you can get accurate, instant feedback on your workstation or inside CI/CD.
The image features a text box with an explanation of the Kyverno CLI as a standalone, command-line tool for interacting with Kyverno policies and resources outside of a cluster.
Key benefit: local policy testing and “shift left” One of the most valuable features — and the focus of this lesson — is the CLI’s ability to test policies against one or more resources entirely locally. You do not need cluster access to check whether a manifest complies with a policy. This reduces debugging time, avoids failed deploys, and is ideal for adding checks to CI pipelines.
The image displays key features of Kyverno CLI, including local policy testing, instant feedback, CI/CD integration, and "shift left" for compliance checks. Each feature is briefly described with associated icons.
Installation Install the Kyverno CLI using the method that best fits your platform and workflow: For this lesson we’ll assume the kyverno executable is on your PATH (or you run kubectl kyverno if installed via krew). The command we’ll master: kyverno apply kyverno apply simulates the Kyverno admission controller locally. It accepts policy files and one or more resource manifests, evaluates resources against the rules, and prints a concise summary indicating pass/fail status.
The image discusses the core command 'kyverno apply', explaining that it simulates how the Kyverno admission controller evaluates a resource.
Basic usage
Simple test case: a single policy and a pod manifest Create two local files:
  1. policy.yaml — ClusterPolicy that enforces every Pod to have metadata.labels.purpose: production.
  2. pod.yaml — Pod manifest that initially omits labels.
policy.yaml:
pod.yaml (initial, missing labels):
Run the CLI to verify the pod against the policy. Failing run (when the label is missing):
Why does the output say “Applying: 3 policy rule(s)…” when the file only defines one rule? Kyverno generates Autogen Rules for related controllers (Deployments, StatefulSets, Jobs, CronJobs, etc.) based on your Pod rule. This ensures coverage for resources created by controllers without requiring you to write duplicate rules. The CLI reports each generated rule when evaluating.
Kyverno’s Autogen Rules expand a single Pod rule into additional rules for common controllers (Deployments, StatefulSets, Jobs, CronJobs, etc.), which is why a single policy can appear as multiple evaluated rules.
Fix the manifest and re-run Alex adds the required label to his Pod: pod.yaml (updated):
Passing run (after adding the label):
Command output overview Wrap up Using kyverno apply lets you shift left: validate policies and manifests locally for immediate feedback, integrate checks into CI/CD, and reduce the cycle time and frustration of trial-and-error cluster deployments. In this lesson we covered the basic kyverno apply workflow and demonstrated a simple enforcement policy. The CLI supports many additional flags and advanced scenarios (multiple policies, globbing, JSON/summary outputs) that you’ll see in the next lesson.
The image is a summary diagram with four points explaining the goals and benefits of using a CLI tool for testing policies and resources, emphasizing fast feedback, validation commands, workflow, and CI/CD integration. Each point is color-coded and numbered, highlighting different aspects of the tool's functionality and advantages.
Links and references
  • Kyverno CLI GitHub Releases: https://github.com/kyverno/kyverno/releases
  • Kyverno repository: https://github.com/kyverno/kyverno
  • Homebrew: https://brew.sh
  • krew (kubectl plugin manager): https://krew.sigs.k8s.io
In the next lesson we’ll explore advanced kyverno apply flags, multi-file testing, automated CI integration, and output formats for scripting and reporting.

Watch Video