Policy Validations

After v1.3.0, Kyverno policies are validated through OpenAPISchema. In addition, Kyverno performs the following custom policy validation checks upon policy update (in webhook):

rule names are unique across a policy
allowed variables declaration with JMESPath
- JMESPath has to be wrapped in {{ }}
- JMESPath has to start with request., otherwise it can only be specified with pre-defined variables: serviceAccountName, serviceAccountNamespace
only variables referring to request.object are allowed in background mode
only one type of rule is allowed per rule, i.e., both mutate and validate can not be defined within a single rule
roles in match / exclude has to have namespace: <namespace:rolename>
namespace policies are only applied to namespaced resources, in other words, a cluster-wide resource cannot be selected by a namespace policy
the resultant of match and exclude block cannot be an empty set
mutate rule
- supported anchors in mutation rules: (), +()
validate rule
- supported anchors in validation rules: (), ^(), =(), X()
- only one of operations pattern, anyPattern, deny is allowed per rule
generate rule
- only data or clone is allowed per rule
- Kyverno has to have permissions to operate (create/update/get/delete) generated resource

THIS WIKI IS NO LONGER MAINTAINED

For developer guides please see the DEVELOPMENT.md file.

For user guides please see https://kyverno.io/docs/.

THIS WIKI IS NO LONGER MAINTAINED

For developer guides please see the DEVELOPMENT.md file.

For user guides please see https://kyverno.io/docs/.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Policy Validations

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally