Selecting Resources
Use Match and Exclude to filter and select resources
Writing Policies
Create custom policy rules to validate, mutate, and generate configurations.
The following picture shows the structure of a Kyverno Policy:
Each Kyverno policy contains one or more rules. Each rule has a match clause, an optional exclude clause, and one of a mutate, validate, or generate clause.
Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single mutate, validate, or generate child node.
During admission control mutation rules are applied before validation.
Validating Resources
Check resource configurations for policy compliance
Mutating Resources
Update resources during admission controls
Generate Resources
Create additional resources based on resource creation, or label/metadata changes.
Using Variables
Use request data, ConfigMaps, and built-in variables in policy rules
Preconditions
Control policy rule execution based on variables.
Auto-Gen Rules for Pod Controllers
Automatically generate rules for pod controllers.
Background Scans
Manage aplying policies to existing resources in a cluster
Last modified October 14, 2020: update docs and resources (a1577a7)