kyverno test command helps policy authors build automated, repeatable test suites for Kyverno policies. While kyverno apply is great for ad-hoc, developer-focused validation, kyverno test lets you assert expected behavior across many resources and detect regressions when policies change.

- Policy authors need confidence that policies:
- Pass for valid resources.
- Fail for invalid resources.
- Are skipped for excluded resources.
- Manually running
kyverno applyfor many scenarios is error-prone and doesn’t scale. kyverno testprovides a declarative test runner to automate these checks in CI/CD pipelines.

kyverno apply: Imperative, ad-hoc. Use when you want to quickly check how a policy affects a resource during development.kyverno test: Declarative test framework. Use to assert expected outcomes (pass/fail/skip/warn or expected mutated/generated resources) and run those assertions automatically.
Use
kyverno apply for interactive debugging; use kyverno test to create reproducible assertions suitable for CI/CD and regression detection.
kyverno-test.yaml or kyverno-test.yml. This file declares inputs (policies, resources, optional exceptions and variables) and expected outputs (results). Place the manifest and related fixtures in a directory and run the CLI against that directory.

- Inputs
policies: list of policy file pathsresources: list of resource fixturesexceptions: optional exception policiesvariables: optional values file for substitutions
- Results
- Declarative assertions tying a
policy,rule, andresourceto an expectedresult(pass/fail/skip/warn) - For mutate/generate rules, include
patchedResourceorgeneratedResourceto compare the actual output to a file
- Declarative assertions tying a
policiesandresourcesare file paths (relative or absolute) the runner reads.variablespoints to a values file if your policies use substitutions.- The
resultslist is the core: each entry maps apolicy,rule, andresourceto an expectedresult.
- For validation-style rules, asserting the evaluation outcome (
pass,fail,skip, orwarn) is usually sufficient:
- For mutate rules, you must verify the actual mutation. Use
patchedResourcewith the expected post-mutation YAML. - For generate rules, use
generatedResourceto assert the exact generated resource content. - The test runner performs a deep comparison between actual and expected files, making assertions precise for complex transformations.
When asserting mutated/generated resources, ensure your expected YAML files account for defaulted fields and ordering differences. Use exact, deterministic fixtures to avoid false negatives.
- Place:
kyverno-test.yaml(or.yml)- policy files
- resource fixtures
- expected
patchedResource/generatedResourcefiles
- Run the CLI from the directory (use
.for current directory):
kyverno test in CI/CD?
- Detect regressions when policies change.
- Provide deterministic, automated verification for policy libraries.
- Improve confidence for policy maintainers and reduce manual verification effort.

kyverno testis a declarative framework to assert policy behavior across resources and scenarios.- The
kyverno-test.yamlfile defines inputs (policies, resources, exceptions, variables) and expected outputs (results). - Use simple
resultassertions for validate rules; usepatchedResource/generatedResourceto verify mutate and generate rules. - Add
kyverno testinto CI/CD pipelines to automatically catch regressions and give policy authors confidence when changing policies.
- Kyverno documentation: https://kyverno.io/docs/
- Kyverno CLI reference: https://kyverno.io/docs/kyverno-cli/