match, exclude, and preconditions, you’ll learn how to stop insecure or non-compliant objects from being admitted to your Kubernetes cluster.
We’ll start with Kyverno’s core validation primitive: the validate rule. Validate rules are used to reject resources that violate declarative patterns or conditional checks before those resources are persisted.
Alex, our platform engineer, already understands resource selection. Now he needs to enforce policies that:
- Block containers running as root.
- Require specific labels for tracking and billing.
- Prevent accidental creation of expensive
LoadBalancerServices in development namespaces.
The validate rule is Kyverno’s primary mechanism for rejecting resources that don’t meet policy. It supports declarative patterns, conditional denial, and expressive checks via CEL.


- CEL expressions inside validate rules for expressive logic and conditional checks.
foreachloops to inspect collections, such as ensuring every container in a pod uses an approved image registry.- Autogen rules so your pod-level validations are applied automatically to workload controllers (Deployments, StatefulSets, etc.).

Validate rules actively reject resources. Test policies first in non-production namespaces or with
policyreport/dry-run modes to avoid accidental disruption.