Kyverno – Installation, Policies, Testing, Reporting, Monitoring, Security

Kyverno - Installation, Policies, Testing, Reporting, Monitoring, Security

In this article we will learn about Kyverno which is a Kubernetes policy engine. It is used to create, test and apply policies. It also provides mechanisms for reporting, monitoring and security. There is a Kyverno cli which is used to run commands.


1. Using Latest release (could be non-stable)

kubectl create -f

2. Using Helm

# Add the Helm repository
helm repo add kyverno

# Scan your Helm repositories to fetch the latest available charts.
helm repo update

# Install the Kyverno Helm chart into a new namespace called "kyverno"
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

Make sure that you use the correct version of kyverno for your kubernetes. Use this compatibility matrix.

Creating a Policy

A policy is a collection of rules which validates a condition.

Let’s create a policy where there is a validation rule that all clusters should have a label – iamunderpolicy.

We will block all the API requests which do not comply with it using validationFailureAction attribute. We can set it to these two values –

  • enforce – It will block the invalid requests.
  • audit – Will let the request run but report violation
kubectl create -f- << EOF
kind: ClusterPolicy
  name: require-labels
  validationFailureAction: enforce
  - name: check-for-labels
      - resources:
          - Pod
      message: "label 'iamunderpolicy' is required"
            iamunderpolicy: "?*"

?* is for validating all the patterns.

What happens if deployed without satisfying policy?

Let’s deploy an image without label, iamunderpolicy –

kubectl create deployment nginx --image=nginx

This will raise the following error –

error: failed to create deployment: admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Deployment/default/nginx was blocked due to the following policies

  autogen-check-for-labels: 'validation error: label ''iamunderpolicy'' is
    required. Rule autogen-check-for-labels failed at path /spec/template/metadata/labels/iamunderpolicy/'

Now let’s create a pod with label –

kubectl run nginx --image nginx --labels iamunderpolicy=nginx

This will run without any issues.

Deleting Policies

For deleting all cluster policies, use this command –

kubectl delete cpol --all

Applying Policies

A policy could be applied using apply command. It is used to check policy effectiveness by performing a dry run over some resources. When we get satisfactory results, we can deploy the policy in cluster.

1. Applying policy to a single resource –

kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml

2. Applying to all matching resources –

kyverno apply /path/to/policy.yaml --cluster

3. Multiple policies applied to multiple resources –

kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster

Testing Policies

To test policies, you can use test command in kyverno cli. This command runs the test over provided git repository or a folder.

1. Testing on a local file

kyverno test .

2. Testing on a directory

kyverno test /path/to/folderContainingTestYamls

3. Testing on a GIT repository

kyverno test

4. Testing on a GIT branch

kyverno test -b branch_name


Reporting provides the information regarding the validations and tests. It can give results by namespace (PolicyReport) or cluster-level (ClusterPolicyReport). Entries in a policy report contain a result field which can be either passskipwarnerror, or fail.

To view summary of policy reports, run this command –

kubectl get policyreport -A
# or
kubectl get polr -A

The result will be –

NAMESPACE     NAME                  PASS   FAIL   WARN   ERROR   SKIP   AGE
default       polr-ns-default       338    2      0      0       0      28h
flux-system   polr-ns-flux-system   135    5      0      0       0      28h

To view cluster wide reports

kubectl get clusterpolicyreport


Monitoring is beneficial as it allows to visualize and alert on any applied policies. You can use Prometheus with it.


You should always keep your kyverno secure and monitor regularly. Verify that the kyverno image is signed properly using cosign.

Kyverno CLI

User kyverno-cli to run commands for testing and applying policies.

Installing Kyverno CLI

1. Via Krew

# Install Kyverno CLI using kubectl krew plugin manager
kubectl krew install kyverno

# test the Kyverno CLI
kubectl kyverno version 

2. Via AUR

yay -S kyverno-git

3. Via Homebrew

brew install kyverno

4. From Source

git clone
cd kyverno
make cli
mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno

Various CLI commands are –

  • apply
  • test
  • jp
  • version


Kyverno is a powerful tool for kubernetes to create and test policies. In this article we saw how to quickly get started with Kyverno with a sample policy. You may learn more about it in official documentation.