Skip to main content
In this lesson/article we will explore the failureAction field in Kyverno policies and how it controls policy behavior for create and update requests. We begin with a simple ClusterPolicy that requires every Namespace to include a purpose: production label:
This is a ClusterPolicy (applies cluster-wide). The rule is a validate rule that:
  • matches resources of kind Namespace
  • rejects non-conforming resources because failureAction is Enforce
  • returns the provided message when validation fails
  • enforces the pattern that requires metadata.labels.purpose to equal production
Apply the policy:
Confirm the policy is ready:
Try to create a namespace that does not include the required label:
With failureAction: Enforce, the admission webhook blocks the creation and returns a validation error:
This demonstrates that Enforce acts as a hard gate: non-compliant resources are rejected on creation.
Next, consider updates to pre-existing, non-compliant resources. By default, Kyverno will not block updates to resources that were already violating the policy when the policy was added. This is controlled by the allowExistingViolations field (defaults to true). For example, list existing namespaces and their labels:
Label an existing namespace default with purpose=test (an incorrect value according to our policy):
Even though the purpose value is test (not production), the label operation succeeds because Kyverno allows updates to existing violations by default.
The image shows a terminal output involving Kubernetes commands related to creating namespaces and applying specific labels with policies enforced by Kyverno. An error occurs when trying to create a namespace without the required "purpose" label set to "production."
By default allowExistingViolations: true allows updates to resources that were non-compliant before the policy was added. This prevents sudden disruptions to an existing cluster.

If you want Kyverno to re-evaluate and block updates to already-violating resources, set allowExistingViolations: false in the policy spec and re-apply it. For example:
Apply the updated policy:
Now attempt to modify the already-violating namespace:
The update will be rejected because Kyverno now enforces validation even on existing, non-compliant resources:
To make updates succeed you must fix the resource to be compliant (for example, set the correct purpose value). Overwrite the existing label:

Audit mode: if you change failureAction from Enforce to Audit, Kyverno will not block create or update operations. Instead it records violations in ClusterPolicyReport resources (useful for monitoring and auditing). Policy example set to Audit:
Apply the updated policy:
Create a non-compliant namespace:
Since the policy is in audit mode the namespace creation succeeds. Kyverno records the violation in a ClusterPolicyReport (CPR). List CPRs:
View the report details (truncated for brevity):
Sample relevant parts of a CPR:
These reports are useful to security and compliance teams because they allow monitoring policy compliance across the cluster without preventing operations.
emitWarning: immediate user feedback without blocking If you want users to receive a warning message in their terminal when an operation violates an audit-rule, add emitWarning: true at the policy spec level. Example:
Apply and try creating another non-compliant namespace:
The creation succeeds (audit mode), but the user receives an immediate warning in the terminal. This is a helpful compromise: operations are not blocked, but users get prompt feedback and can fix violations quickly.
Summary
  • failureAction: Enforce — blocks creation/updates of non-compliant resources.
  • allowExistingViolations (default true) — if true, updates to already-violating resources are allowed; set to false to enforce on updates as well.
  • failureAction: Audit — allows the resource but records violations in ClusterPolicyReport objects.
  • emitWarning: true — with audit mode, returns a warning to the user in the terminal while still allowing the operation.

Watch Video

Practice Lab