Writing Policies

Create custom policy rules to validate, mutate, and generate configurations.

The following picture shows the structure of a Kyverno Policy:


Each Kyverno policy contains one or more rules. Each rule has a match clause, an optional exclude clause, and one of a mutate, validate, or generate clause.

Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single mutate, validate, or generate child node.

During admission control mutation rules are applied before validation.

Selecting Resources

Use Match and Exclude to filter and select resources

Validating Resources

Check resource configurations for policy compliance

Mutating Resources

Update resources during admission controls

Generate Resources

Create additional resources based on resource creation, or label/metadata changes.

Using Variables

Use request data, ConfigMaps, and built-in variables in policy rules


Control policy rule execution based on variables.

Auto-Gen Rules for Pod Controllers

Automatically generate rules for pod controllers.

Background Scans

Manage aplying policies to existing resources in a cluster

Last modified October 14, 2020: update docs and resources (a1577a7)