> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Failure Action Overrides

> Explains Kyverno's failureActionOverrides for ClusterPolicies, allowing namespace specific enforcement or audit of validation rules to avoid duplicating policies.

Kyverno policies operate in two primary modes: `Audit` and `Enforce`. In many clusters you’ll want a single ClusterPolicy to behave differently depending on the target namespace—for example, strict enforcement in production but only auditing elsewhere. The `failureActionOverrides` field enables exactly that by letting you override a rule’s default `failureAction` for specific namespaces.

<Callout icon="lightbulb" color="#1CB2FE">
  Use `failureActionOverrides` to keep one ClusterPolicy that adapts per-namespace behavior instead of duplicating policies. This reduces policy sprawl and makes intent clearer.
</Callout>

What is `failureActionOverrides`?

* It’s an optional block you add inside a rule’s `validate` section.
* It creates namespace-specific exceptions to the rule’s default `failureAction`.
* It is only supported for `ClusterPolicy` objects because those policies span multiple namespaces.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Failure-Action-Overrides/failureactionoverrides-exceptions-clusterpolicies.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=a0fbaafdf138bec349959d4e5c6734bb" alt="The image is a slide introducing &#x22;failureActionOverrides,&#x22; explaining that it allows creating exceptions for &#x22;failureAction&#x22; in specific namespaces, available for &#x22;ClusterPolicies.&#x22;" width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Failure-Action-Overrides/failureactionoverrides-exceptions-clusterpolicies.jpg" />
</Frame>

How it works

* Define a default `failureAction` for the rule (commonly `Audit` or `Enforce`).
* Use `failureActionOverrides` to list namespaces and the alternate `action` to apply there.
* Kyverno evaluates the rule and, if the resource’s namespace matches an override entry, applies the override action instead of the default.

Example: require an `app` label, audit by default, but enforce in `production`:

```yaml theme={null}
rules:
  - name: check-label-app
    match:
      any:
        - resources:
            kinds:
              - Pod
    validate:
      failureAction: Audit
      failureActionOverrides:
        - action: Enforce   # Action to apply for these namespaces
          namespaces:       # List of affected namespaces
            - "production"
      message: "The label `app` is required."
      pattern:
        metadata:
          labels:
            app: "?*"
```

Behavior examples

* Production namespace: When a Pod is created in `production`, Kyverno finds the matching `failureActionOverrides` entry. The effective action becomes `Enforce`. If the Pod lacks the `app` label, admission is blocked and the request fails.

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Failure-Action-Overrides/pod-creation-behavior-production-namespace.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=c4d69ec983661d6162962ad4715cdf30" alt="The image explains the behavior of a pod creation in a 'production' namespace, emphasizing that requests are blocked if the label is missing, given the 'failureAction' is set to 'Enforce'." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Failure-Action-Overrides/pod-creation-behavior-production-namespace.jpg" />
</Frame>

* Non-overridden namespaces (e.g., `development`): Kyverno applies the rule’s default `failureAction` (`Audit` in the example). A missing `app` label is recorded as a violation but the Pod is admitted.

Quick summary

|                   Namespace type | Effective action | Result when `app` label is missing   |
| -------------------------------: | ---------------- | ------------------------------------ |
|      `production` (in overrides) | `Enforce`        | Admission is blocked                 |
| `development` (not in overrides) | `Audit`          | Violation is logged, request allowed |

Deprecated top-level syntax
You may encounter an older, deprecated pattern where validation failure action overrides were defined at the policy `spec` level. Avoid this in new ClusterPolicies:

```yaml theme={null}
spec:
  validationFailureActionOverrides:   # <-- deprecated at top level
    namespaces:
      - production
    action: Enforce
  rules:
    ...
```

<Callout icon="warning" color="#FF6B6B">
  The top-level `validationFailureActionOverrides` is deprecated. Prefer placing `failureActionOverrides` inside each rule for finer-grained control and clearer intent.
</Callout>

Best practices

* Prefer rule-scoped `failureActionOverrides` for precise, readable policies.
* Use `Audit` as the default for safer rollouts, and enable `Enforce` only where needed (e.g., `production`).
* Keep override lists minimal and documented so reviewers can quickly understand exceptions.

References

* Kyverno policies and validation: [https://kyverno.io/docs/writing-policies/validate/](https://kyverno.io/docs/writing-policies/validate/)
* Kubernetes admission control concepts: [https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)

That's it for this lesson.

<CardGroup>
  <Card title="Watch Video" icon="video" cta="Learn more" href="https://learn.kodekloud.com/user/courses/kyverno-certified-associate/module/f5dd3064-bb37-41e2-8092-362f4cd56c57/lesson/8be9924f-5d88-4597-a2f0-51138214d91d" />
</CardGroup>
