Audit and Enforce. In many clusters you’ll want a single ClusterPolicy to behave differently depending on the target namespace—for example, strict enforcement in production but only auditing elsewhere. The failureActionOverrides field enables exactly that by letting you override a rule’s default failureAction for specific namespaces.
Use
failureActionOverrides to keep one ClusterPolicy that adapts per-namespace behavior instead of duplicating policies. This reduces policy sprawl and makes intent clearer.failureActionOverrides?
- It’s an optional block you add inside a rule’s
validatesection. - It creates namespace-specific exceptions to the rule’s default
failureAction. - It is only supported for
ClusterPolicyobjects because those policies span multiple namespaces.

- Define a default
failureActionfor the rule (commonlyAuditorEnforce). - Use
failureActionOverridesto list namespaces and the alternateactionto apply there. - Kyverno evaluates the rule and, if the resource’s namespace matches an override entry, applies the override action instead of the default.
app label, audit by default, but enforce in production:
- Production namespace: When a Pod is created in
production, Kyverno finds the matchingfailureActionOverridesentry. The effective action becomesEnforce. If the Pod lacks theapplabel, admission is blocked and the request fails.

- Non-overridden namespaces (e.g.,
development): Kyverno applies the rule’s defaultfailureAction(Auditin the example). A missingapplabel is recorded as a violation but the Pod is admitted.
Deprecated top-level syntax
You may encounter an older, deprecated pattern where validation failure action overrides were defined at the policy
spec level. Avoid this in new ClusterPolicies:
The top-level
validationFailureActionOverrides is deprecated. Prefer placing failureActionOverrides inside each rule for finer-grained control and clearer intent.- Prefer rule-scoped
failureActionOverridesfor precise, readable policies. - Use
Auditas the default for safer rollouts, and enableEnforceonly where needed (e.g.,production). - Keep override lists minimal and documented so reviewers can quickly understand exceptions.
- Kyverno policies and validation: https://kyverno.io/docs/writing-policies/validate/
- Kubernetes admission control concepts: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/