- Ensure every Pod includes at least one container using the
nginximage (presence within a list). - Forbid use of
hostPathvolumes entirely (absolute negation). - Enforce that images pulled from the corporate registry require a specific
imagePullSecret, but skip the rule for public images (rule-level gating).
This guide focuses on Kyverno anchors: existence (
^), negation (X), and global (<()), showing how each solves a specific policy requirement. Use the examples as starting points and adapt patterns to your organization’s naming and image conventions.Quick anchor summary
For full reference, see the Kyverno docs: Kyverno Policy Patterns.
1) Existence anchor: ensure at least one container uses nginx
Alex wants to guarantee that each Pod contains at least one container using thenginx image, but he does not want to force all containers to use it.
Use the existence anchor (^) to treat the containers list as a set and require at least one element to match the following pattern.
Example pattern (snippet used inside a validate rule’s pattern):
- Kyverno iterates the
containersarray and passes validation as soon as it finds one container whoseimageequalsnginx:latest. - Other containers may use any image; they are not required to match.
- This pattern uses a wildcard for
name, but it still enforces that each array item (every container) must matchimage: nginx:latest. - If any container uses a different image (e.g., a Python app), the Pod will fail validation.
2) Negation anchor: forbid hostPath volumes
To outright banhostPath volumes (a critical security rule), use the negation anchor X. This anchor fails the validation when the named key exists in the object being checked.
Example pattern that iterates all volumes and forbids hostPath:
- The
X(hostPath): "null"line means: if thehostPathkey exists on any volume, fail. - The anchor does not evaluate the value of
hostPath(e.g.,/data); it only checks the presence of the key. - This produces a deterministic deny:
hostPathcannot be used at all.
Forbidding
hostPath is a common hardening practice. Make sure you coordinate with app owners because legitimate workloads that require node-local access might need alternate approaches (e.g., CSI drivers).3) Global anchor: gate the rule itself for corporate registry images
Alex wants a rule that applies only when a Pod pulls images from the corporate registry (corp.reg.com). If the Pod uses public images (Docker Hub, etc.), the rule should be skipped.
Use the global anchor <(...) to create a gate — evaluate the rest of the pattern only when the condition is true.
Pattern example:
- Kyverno first evaluates the condition in the global anchor: does the container
imagematchcorp.reg.com/*? - If the condition is false (e.g.,
redis:latestfrom Docker Hub), Kyverno skips this pattern for that container — no failure. - If the condition is true, Kyverno enforces the rest of the pattern — in this case, the Pod must include
imagePullSecretswithname: my-registry-secret.
Example: a Pod that will be rejected
Trace a failing request to see the global anchor in action: Example Pod that will be blocked:- Step 1: The global anchor matches because the container image is from
corp.reg.com. - Step 2: The gate opens and Kyverno checks for
imagePullSecretswithname: my-registry-secret. - The Pod only has
other-secret, so the pattern fails and Kyverno rejects the Pod with the configured message.
Putting it all together
Use the right anchor for each scenario:- Existence anchor (
^) — presence in arrays without overconstraining: ensure at least onenginxcontainer. - Negation anchor (
X) — absolute denial for sensitive keys: forbidhostPath. - Global anchor (
<()) — gate the rule so it only applies when a condition is met: require animagePullSecretfor corporate-registry images.
ClusterPolicy or Policy validate rule. Test policies in a staging cluster and iterate with clear message fields so developers get actionable feedback.
Links and references
- Kyverno documentation — policies and patterns: https://kyverno.io/docs/
- Kubernetes Pod spec: https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/