Policies and Rules

Learn how Kyverno policies and rules work.

A Kyverno policy is a collection of rules. Each rule consists of a match clause, an optional exclude clause, and one of a validate, mutate, or generate clause. A rule definition can contain only a single validate, mutate, or generate child node.

Kyverno Policy

Policies can be defined as cluster-wide resources (using the kind ClusterPolicy) or namespaced resources (using the kind Policy.) As expected, namespaced policies will only apply to resources within the namespace in which they are defined while cluster-wide policies are applied to matching resources across all namespaces. Otherwise, there is no difference between the two types.

Last modified July 20, 2021 at 10:16 AM PST: add arch and install diagrams and shorten headings (5f8f959)