> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Autogen Rules

> Explains Kyverno autogen which generates controller-specific Kubernetes validation rules from a single Pod-focused policy to reduce duplication and simplify image registry enforcement

This article expands on validation policies and introduces Kyverno's autogen feature — a powerful way to automatically generate controller-specific rules from a single Pod-focused policy. Autogen reduces repetition, minimizes errors, and keeps policies maintainable as new controllers or operators are introduced.

Let's follow Alex, a platform engineer who needs to ensure all application images come from the enterprise registry.

Alex’s requirement is simple: validate that container images are pulled only from `registry.domain.com/*`. But developers don't usually create Pods directly.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/pod-controller-maze-trusted-registry.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=7b2987acdb510ab90073deeee294d836" alt="The image outlines a problem titled &#x22;The Pod Controller Maze,&#x22; where Alex's goal is to ensure all container images come from a trusted internal registry, but the challenge is that pods aren't usually created directly and are managed by controllers." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/pod-controller-maze-trusted-registry.jpg" />
</Frame>

Instead, workloads are created via Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, and operator-managed resources. Each controller embeds the Pod spec at a different JSON path, so a naive approach requires separate rules for each controller type.

Manual approach (repetitive and error-prone)

Alex starts with a Pod-level validation rule:

```yaml theme={null}
# Validate images when a Pod is created directly
- name: validate-pods
  match:
    any:
      - resources:
          kinds:
            - Pod
  validate:
    pattern:
      spec:
        containers:
          - image: "registry.domain.com/*"
```

When targeting controllers that embed Pod templates at `spec.template.spec`, he must create another rule:

```yaml theme={null}
# Validate images for controllers that embed a pod template at spec.template.spec
- name: validate-deployments-statefulsets
  match:
    any:
      - resources:
          kinds:
            - Deployment
            - StatefulSet
            - DaemonSet
            - Job
  validate:
    pattern:
      spec:
        template:
          spec:
            containers:
              - image: "registry.domain.com/*"
```

CronJobs use a different path (`spec.jobTemplate.spec.template.spec`), requiring yet another nearly identical rule:

```yaml theme={null}
# Validate images for CronJobs
- name: validate-cronjobs
  match:
    any:
      - resources:
          kinds:
            - CronJob
  validate:
    pattern:
      spec:
        jobTemplate:
          spec:
            template:
              spec:
                containers:
                  - image: "registry.domain.com/*"
```

Maintaining multiple variants of the same rule quickly becomes tedious. Kyverno’s autogen feature solves this by generating controller-specific rules from a Pod-focused rule.

Autogen: write once, apply everywhere

The core idea: author your policy for the lowest-level resource you care about (Pod). Kyverno will auto-generate the corresponding policies for controllers that create Pods.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/kyverno-pods-policies-solution-diagram.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=2131e8be697cd57d2eb3bf9e91a54877" alt="The image explains Kyverno's solution to focus on pods, highlighting the principle of focusing on the lowest-level object and writing policies targeting pods. It suggests that Kyverno will handle complex rules automatically." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/kyverno-pods-policies-solution-diagram.jpg" />
</Frame>

Here’s the simplified policy Alex now writes — only targeting Pod objects:

```yaml theme={null}
# Single policy that targets Pods — Kyverno will autogenerate controller-specific rules
- name: validate-registries
  match:
    any:
      - resources:
          kinds:
            - Pod
  validate:
    failureAction: Enforce
    message: "Images may only come from our internal enterprise registry."
    pattern:
      spec:
        containers:
          - image: "registry.domain.com/*"
```

When applied, Kyverno activates autogen and creates equivalent rules for controllers automatically. You can inspect the policy status in-cluster and check `status.autogen.rules` to review what Kyverno generated:

```yaml theme={null}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
spec:
  # ... original Pod-only rule ...
status:
  autogen:
    rules:
      - name: autogen-validate-registries
        # ... generated rule for Deployments, StatefulSets, Jobs, DaemonSets, etc. ...
      - name: autogen-cronjob-validate-registries
        # ... generated rule for CronJobs ...
```

Example generated rules

Kyverno wraps your Pod pattern inside controller-specific paths.

Most controllers (Deployment, StatefulSet, DaemonSet, Job, etc.) get rules that place the Pod pattern under `spec.template.spec`:

```yaml theme={null}
# Example generated rule for most controllers
- name: autogen-validate-registries
  match:
    any:
      - resources:
          kinds:
            - Deployment
            - StatefulSet
            - DaemonSet
            - Job
            # ... other common controllers ...
  validate:
    message: "Images may only come from our internal enterprise registry."
    pattern:
      spec:
        template:
          spec:
            containers:
              - image: "registry.domain.com/*"
```

CronJobs receive a separate generated rule because their Pod template is nested at `spec.jobTemplate.spec.template.spec`:

```yaml theme={null}
# Example generated rule for CronJobs
- name: autogen-cronjob-validate-registries
  match:
    any:
      - resources:
          kinds:
            - CronJob
  validate:
    message: "Images may only come from our internal enterprise registry."
    pattern:
      spec:
        jobTemplate:
          spec:
            template:
              spec:
                containers:
                  - image: "registry.domain.com/*"
```

Controlling autogen behavior

If you need fine-grained control over which controllers receive generated rules, Kyverno exposes the `pod-policies.kyverno.io/autogen-controllers` annotation on the policy.

Examples:

```yaml theme={null}
# Generate rules only for Deployment and Job controllers
pod-policies.kyverno.io/autogen-controllers: "Deployment,Job"
```

```yaml theme={null}
# Disable autogen for this policy; only Pod objects will be validated
pod-policies.kyverno.io/autogen-controllers: "none"
```

When autogen is skipped

Autogen is conservative and will skip generation if the original rule is too specific or otherwise cannot be safely translated to parent controller objects. Scenarios that prevent autogen include:

* Matching a Pod by name (controller resource names differ).
* Using label selectors or annotation filters that apply specifically to Pods and cannot be sensibly applied to controllers.
* The rule’s `kinds` list contains resources other than `Pod` (e.g., `ConfigMap`, `Secret`).

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/kyverno-autogen-skip-conditions-kubernetes.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=f8309b73557cc2ff8cbd9d0f12e89b4e" alt="The image outlines conditions under which Kyverno autogen is skipped, highlighting issues related to names, selectors, and annotations in Kubernetes." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/kyverno-autogen-skip-conditions-kubernetes.jpg" />
</Frame>

To maximize the chances that autogen runs for your rule:

* Target only `Pod` in the `kinds` list.
* Avoid name-based matches, Pod-specific selectors, or predicates that cannot be translated to controllers.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/autogen-skipped-when-rule-kinds-pod.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=50beb63fd2cf92d973c266e3aeb6020e" alt="The image explains when autogen is skipped, indicating it works only if the rule's kinds list contains only &#x22;Pod&#x22; and is disabled for lists with other kinds like &#x22;ConfigMap.&#x22;" width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/autogen-skipped-when-rule-kinds-pod.jpg" />
</Frame>

Quick reference table

| Topic                   | Behavior / Example                                                                                       |
| ----------------------- | -------------------------------------------------------------------------------------------------------- |
| Author focus            | Write the rule for `Pod` (lowest-level object).                                                          |
| Autogen default         | Kyverno generates rules for common controllers (Deployment, StatefulSet, DaemonSet, Job, CronJob, etc.). |
| Check generated rules   | Inspect `status.autogen.rules` in the policy object.                                                     |
| Restrict autogen        | Use annotation `pod-policies.kyverno.io/autogen-controllers: "Deployment,Job"`                           |
| Disable autogen         | Use annotation `pod-policies.kyverno.io/autogen-controllers: "none"`                                     |
| When autogen is skipped | Name matches, Pod-only selectors/annotations, or `kinds` includes non-Pod resources.                     |

<Callout icon="lightbulb" color="#1CB2FE">
  Autogen simplifies policy management, but always review the generated rules in `status.autogen.rules` to confirm they match your intent — especially when working with custom controllers or operator-managed resources.
</Callout>

Summary

* Problem: Pods are created via many controllers and live at different JSON paths, which used to require multiple, nearly identical rules.
* Solution: Write a single Pod-targeting rule and let Kyverno autogen produce controller-specific rules automatically.
* Customization: Use `pod-policies.kyverno.io/autogen-controllers` annotation to limit or disable autogen.
* Safety: Kyverno skips autogen for rules that are too specific or otherwise cannot be translated to controller resources.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/how-it-works-kyverno-policy-rules.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=f3083cb6d787a4b097e77d2393722e5c" alt="The image illustrates a three-step process titled &#x22;How It Works&#x22; related to creating and adapting policy rules for Kyverno. Each step is numbered and described, focusing on targeting pods, generating necessary rules, and adapting validation paths." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/how-it-works-kyverno-policy-rules.jpg" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/customization-options-annotations-summary.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=5f52877ea33333f952d049ede451ff3a" alt="The image contains a summary and key takeaways, highlighting two points: customization options through annotations for controllers and limitations where autogen is skipped based on certain criteria." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Autogen-Rules/customization-options-annotations-summary.jpg" />
</Frame>

Further reading and references

* Kyverno Documentation — Policies and Autogen (see Kyverno docs for the latest details).
* Kubernetes API conventions and controller patterns:
  * [Kubernetes Controllers](https://kubernetes.io/docs/concepts/architecture/controller/)
  * [Pod Template spec paths](https://kubernetes.io/docs/concepts/workloads/controllers/)

Using autogen will dramatically simplify your policy set and make it more robust and maintainable.

<CardGroup>
  <Card title="Watch Video" icon="video" cta="Learn more" href="https://learn.kodekloud.com/user/courses/kyverno-certified-associate/module/f5dd3064-bb37-41e2-8092-362f4cd56c57/lesson/b33740d9-ee2b-4dbb-868c-a40ce74692ea" />
</CardGroup>
