Skills kyverno
Expert guidance for Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/kyverno" ~/.claude/skills/terminalskills-skills-kyverno && rm -rf "$T"
manifest:
skills/kyverno/SKILL.mdsource content
Kyverno — Kubernetes Native Policy Engine
Overview
Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
Instructions
Validation Policies
# Require resource limits on all containers apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-resource-limits annotations: policies.kyverno.io/title: Require Resource Limits policies.kyverno.io/severity: medium spec: validationFailureAction: Enforce # Block non-compliant resources background: true rules: - name: check-resource-limits match: any: - resources: kinds: ["Pod"] validate: message: "All containers must have CPU and memory limits set." pattern: spec: containers: - resources: limits: memory: "?*" cpu: "?*" --- # Disallow privileged containers apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-privileged spec: validationFailureAction: Enforce rules: - name: no-privileged match: any: - resources: kinds: ["Pod"] validate: message: "Privileged containers are not allowed." pattern: spec: containers: - securityContext: privileged: "!true" --- # Disallow latest tag apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-latest-tag spec: validationFailureAction: Enforce rules: - name: no-latest match: any: - resources: kinds: ["Pod"] validate: message: "Using 'latest' tag is not allowed. Pin to a specific version." pattern: spec: containers: - image: "!*:latest" --- # Require labels apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: Enforce rules: - name: check-labels match: any: - resources: kinds: ["Deployment", "StatefulSet"] validate: message: "Resources must have 'team' and 'app' labels." pattern: metadata: labels: team: "?*" app: "?*"
Mutation Policies
# Auto-add security defaults to all pods apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-security-defaults spec: rules: - name: add-run-as-nonroot match: any: - resources: kinds: ["Pod"] mutate: patchStrategicMerge: spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - (name): "*" securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] --- # Auto-add resource defaults if not specified apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-default-resources spec: rules: - name: set-default-limits match: any: - resources: kinds: ["Pod"] mutate: patchStrategicMerge: spec: containers: - (name): "*" resources: limits: +(memory): "512Mi" # + means only add if not set +(cpu): "500m" requests: +(memory): "256Mi" +(cpu): "100m" --- # Auto-add image pull secrets apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-pull-secret spec: rules: - name: add-registry-secret match: any: - resources: kinds: ["Pod"] preconditions: all: - key: "{{ request.object.spec.containers[].image }}" operator: AnyIn value: ["ghcr.io/*", "myregistry.com/*"] mutate: patchStrategicMerge: spec: imagePullSecrets: - name: registry-credentials
Generation Policies
# Auto-create NetworkPolicy for every new namespace apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: generate-default-networkpolicy spec: rules: - name: default-deny-ingress match: any: - resources: kinds: ["Namespace"] generate: synchronize: true # Keep in sync if policy changes apiVersion: networking.k8s.io/v1 kind: NetworkPolicy name: default-deny namespace: "{{ request.object.metadata.name }}" data: spec: podSelector: {} policyTypes: - Ingress --- # Auto-create ResourceQuota for namespaces apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: generate-quota spec: rules: - name: default-quota match: any: - resources: kinds: ["Namespace"] exclude: any: - resources: namespaces: ["kube-system", "kyverno"] generate: apiVersion: v1 kind: ResourceQuota name: default-quota namespace: "{{ request.object.metadata.name }}" data: spec: hard: requests.cpu: "4" requests.memory: "8Gi" limits.cpu: "8" limits.memory: "16Gi" pods: "50"
Verify Image Signatures
# Enforce cosign signature verification apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-images spec: validationFailureAction: Enforce webhookTimeoutSeconds: 30 rules: - name: verify-signature match: any: - resources: kinds: ["Pod"] verifyImages: - imageReferences: - "ghcr.io/myorg/*" attestors: - entries: - keyless: subject: "https://github.com/myorg/*" issuer: "https://token.actions.githubusercontent.com" rekor: url: "https://rekor.sigstore.dev"
Installation
# Helm helm repo add kyverno https://kyverno.github.io/kyverno/ helm install kyverno kyverno/kyverno -n kyverno --create-namespace # Install policy library kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/... # CLI (for testing policies locally) brew install kyverno kyverno apply policy.yaml --resource pod.yaml
Examples
Example 1: Setting up Kyverno for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Kyverno for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like
# Require resource limits on all containersExample 2: Troubleshooting mutation policies issues
User request:
Kyverno is showing errors in our mutation policies. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Kyverno issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- YAML, not Rego — Kyverno policies are pure YAML; lower barrier to entry than OPA/Gatekeeper for Kubernetes teams
- Audit before enforce — Start with
to see violations without blocking; switch tovalidationFailureAction: Audit
once cleanEnforce - Mutate for defaults — Use mutation policies to inject security defaults; developers don't need to remember boilerplate
- Generate for consistency — Auto-create NetworkPolicies, ResourceQuotas, and RBAC for every namespace
- Image verification — Enforce cosign signature verification; prevent unsigned images from running in the cluster
- Policy library — Start with Kyverno's policy library (kyverno.io/policies); covers Pod Security Standards, best practices, and compliance
- Test with CLI — Use
andkyverno apply
locally before deploying policies to the clusterkyverno test - Exceptions via annotations — Use
annotations for legitimate exceptions; document the reasonpolicies.kyverno.io/exclude