> ## Documentation Index
> Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Section Introduction

> Teaching Kyverno validate rules to enforce Kubernetes policies, rejecting noncompliant resources using patterns, deny CEL expressions, podSecurity, foreach, and autogen for cluster enforcement.

In this lesson we move beyond filtering resources and focus on actively enforcing policies with Kyverno. Instead of just locating resources with `match`, `exclude`, and preconditions, you'll learn how to stop insecure or non-compliant objects from being admitted to your Kubernetes cluster.

We'll start with Kyverno's core validation primitive: the validate rule. Validate rules are used to reject resources that violate declarative patterns or conditional checks before those resources are persisted.

Alex, our platform engineer, already understands resource selection. Now he needs to enforce policies that:

* Block containers running as root.
* Require specific labels for tracking and billing.
* Prevent accidental creation of expensive `LoadBalancer` Services in development namespaces.

He can't just find these resources — he needs to stop them at the door. Validate rules enable exactly that behavior.

<Callout icon="lightbulb" color="#1CB2FE">
  The validate rule is Kyverno's primary mechanism for rejecting resources that don't meet policy. It supports declarative patterns, conditional denial, and expressive checks via CEL.
</Callout>

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/alex-enforcement-policies-challenge.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=4dee25e9e10e81051b2e0ba95fa17309" alt="The image depicts a challenge where Alex needs to move from selecting resources to actively enforcing policies. It includes icons for Alex, enforcement, and policies." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/alex-enforcement-policies-challenge.jpg" />
</Frame>

What you'll learn in this lesson

| Topic                                | Purpose                                                                 | When to use                                                                |
| ------------------------------------ | ----------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| Pattern-based validation (`pattern`) | Require labels, annotations, or specific field values                   | Enforce fixed structure or mandatory fields (e.g., require `app` label)    |
| Flexible matching (`anyPattern`)     | OR-style validation where one of several patterns is acceptable         | Allow multiple valid shapes (e.g., either `team` or `owner` label present) |
| Conditional denial (`deny` block)    | Use CEL expressions to reject resources when complex conditions are met | Complex or computed checks that can't be expressed as simple patterns      |
| Pod security (`podSecurity` subrule) | Enforce the Kubernetes Pod Security Standards (PSS)                     | Align with Kubernetes' official Pod Security admission guidance            |

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/four-topics-learn-pattern-anypattern-deny-podsecurity.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=1015472a213185584da836f0d7d0c846" alt="The image outlines four topics to learn in a section: using 'pattern', using 'anyPattern', the 'deny' block, and the 'podSecurity' subrule, with brief descriptions of each." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/four-topics-learn-pattern-anypattern-deny-podsecurity.jpg" />
</Frame>

Advanced validation capabilities you'll also explore

* CEL expressions inside validate rules for expressive logic and conditional checks.
* `foreach` loops to inspect collections, such as ensuring every container in a pod uses an approved image registry.
* Autogen rules so your pod-level validations are applied automatically to workload controllers (Deployments, StatefulSets, etc.).

<Frame>
  <img src="https://mintcdn.com/kodekloud-c4ac6d9a/rzUP76niRaOmk997/images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/kubernetes-advanced-validation-automation.jpg?fit=max&auto=format&n=rzUP76niRaOmk997&q=85&s=dce554bc55ed5b9eb615e8f798ffc8ed" alt="The image outlines a learning section with three topics: the Common Expression Language subrule, 'foreach' loops, and autogen for Pod controllers, focusing on advanced validation logic and automation in Kubernetes." width="1920" height="1080" data-path="images/Prep-Course-Kyverno-Certified-Associate-KCA-Certification/Validate-Rules/Section-Introduction/kubernetes-advanced-validation-automation.jpg" />
</Frame>

<Callout icon="warning" color="#FF6B6B">
  Validate rules actively reject resources. Test policies first in non-production namespaces or with `policyreport`/`dry-run` modes to avoid accidental disruption.
</Callout>

By the end of this lesson you'll have a practical toolkit for writing robust Kyverno validation policies that enforce security and operational requirements across your cluster.

Links and references

* [Kyverno Documentation](https://kyverno.io/docs/)
* [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)

<CardGroup>
  <Card title="Watch Video" icon="video" cta="Learn more" href="https://learn.kodekloud.com/user/courses/kyverno-certified-associate/module/f5dd3064-bb37-41e2-8092-362f4cd56c57/lesson/1bf911d6-b4b3-4ebf-b492-73da503e45ce" />
</CardGroup>
