config-version label. A standard mutate rule cannot reach across resources because it only mutates the incoming resource in the admission request. That prevents him from updating the Secret directly during admission.


- Asynchronous timing — mutations happen shortly after the trigger event; there may be a small, variable delay.
- Additional permissions — because the background controller modifies existing resources, it needs RBAC permissions to
get,update, or otherwise operate on those resources.

get and update on Secrets), and label it with rbac.kyverno.io/aggregate-to-background-controller: "true". Kyverno will aggregate this role into the background controller’s effective permissions.
Create a ClusterRole with the precise permissions you need and add the aggregation label. Do not edit Kyverno’s default ClusterRoles directly.
get and update on Secrets:
match(orexclude) defines the trigger — the admission events that cause an UpdateRequest to be created (e.g., updates to a specific ConfigMap).mutate.targetslists the existing resources to be modified (the background controller will process these).
matchis the trigger: when an admission event matches this filter, Kyverno will create an UpdateRequest.mutate.targetsis the set of existing resources to patch. You can usepatchStrategicMergeto describe the mutation.- For dynamic values, replace the static
"v1"with templating or variables as required by your workflow.
-
Admission phase (fast)
- The ConfigMap update triggers the policy in the Admission Controller.
- Instead of mutating another resource immediately, Kyverno creates an UpdateRequest (UR) describing the intended mutation.
- The admission request is allowed quickly so
kubectl applyremains responsive.
-
Background mutation (asynchronous)
- The background controller watches for UpdateRequest resources.
- It reads the UR, locates the target resource(s) (for example, the Secret), and applies the mutation.
- The mutation occurs asynchronously; expect a small delay.

- Why: Standard mutate rules only affect the resource in the admission request. Mutate-existing policies let events on one resource trigger changes to other existing resources.
- Who does the work: The Admission Controller creates an UpdateRequest; the Background Controller executes the mutation asynchronously.
- Policy layout: Use a
matchblock for the trigger andmutate.targetsfor the resources to patch. - Mechanism: Admission -> UpdateRequest -> Background Controller processes UR -> Target resource updated.
- Prerequisite: Grant background-controller permissions via a ClusterRole labeled with
rbac.kyverno.io/aggregate-to-background-controller: "true"so Kyverno can aggregate permissions safely.

- Use label or field selectors in
matchto scope triggers precisely. - Target multiple resources in
mutate.targets. - Combine conditionals or JMESPath expressions (where supported) to compute dynamic patch content.
- Monitor UpdateRequests and Kyverno logs when debugging asynchronous mutations.
- Kyverno Mutate Existing Resources (docs)
- Kubernetes RBAC documentation
- Kyverno RBAC aggregation guide