Agent skill
runtime-deployment-admission-control-with-kyverno
Deploy Kyverno admission control as final safety net before production. Install admission webhooks, policy reporters, and continuous compliance background scans.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/enforce/skills/runtime-deployment-admission-control-with-kyverno
SKILL.md
Runtime Deployment: Admission Control with Kyverno
When to Use This Skill
Runtime admission control enforces policies at the cluster level using Kyverno admission webhooks:
graph TD
K[kubectl apply] --> API[Kubernetes API Server]
API --> ADM[Admission Controller]
ADM --> KYV[Kyverno Webhook]
KYV --> POL{Policy Check}
POL -->|Pass| ETCD[(etcd)]
POL -->|Fail| REJECT[Reject Request]
%% Ghostty Hardcore Theme
style ETCD fill:#a7e22e,color:#1b1d1e
style REJECT fill:#f92572,color:#1b1d1e
Runtime is the Final Safety Net
Local dev and CI checks can be bypassed. Runtime admission control is the last line of defense. If it fails, non-compliant resources never reach production.
Implementation
Kyverno Deployment
Deploy Kyverno using Helm:
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno \
--namespace kyverno \
--create-namespace \
--values kyverno-values.yaml
kyverno-values.yaml:
See examples.md for detailed code examples.
Background Scan Interval
Set
backgroundScanIntervalto 6h for most clusters. Reduce to 1h for high-compliance environments. Increase to 12h for large clusters (1000+ nodes).
Policy Reporter Deployment
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
helm install policy-reporter policy-reporter/policy-reporter \
--namespace policy-reporter \
--create-namespace \
--values policy-reporter-values.yaml
policy-reporter-values.yaml:
See examples.md for detailed code examples.
Policy Reporter UI
Access the dashboard with
kubectl port-forward -n policy-reporter svc/policy-reporter-ui 8080:8080. Navigate to http://localhost:8080.
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?