Agent skill
kyverno-basics
Install Kyverno, create validation policies, and understand audit vs enforce modes for Kubernetes admission control.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/enforce/skills/kyverno-basics
SKILL.md
Kyverno Basics
When to Use This Skill
Kyverno runs as a dynamic admission controller in Kubernetes. It validates, mutates, and generates resources based on policies written in YAML.
Implementation
Install Kyverno using Helm:
See examples.md for detailed code examples.
Kyverno creates webhook configurations that intercept resource creation/updates before they reach etcd.
Comparison
Roll out policies in audit mode first:
spec:
validationFailureAction: Audit # Log violations, don't block
Check logs for violations:
kubectl get policyreport -A
NAMESPACE NAME PASS FAIL WARN ERROR SKIP
default polr-ns-default 12 3 0 0 0
production polr-ns-production 45 1 0 0 0
Fix violations. Then switch to Enforce:
spec:
validationFailureAction: Enforce # Block violations
Gradual Rollout Strategy
- Deploy policy in
Auditmode - Monitor PolicyReports for 1 week
- Remediate failures
- Switch to
Enforcemode - Handle exceptions with exclusions
Don't deploy straight to Enforce. Discover violations first.
Examples
See examples.md for code examples.
Related Patterns
- Policy Patterns
- Testing and Exceptions
- CI/CD Integration
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?