Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.zenable.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Kyverno validates and mutates Kubernetes resource manifests at admission time. Policies are written in YAML, making them accessible without learning a separate policy language.

Capabilities

  • Validate, mutate, generate, and clean up K8s resources
  • YAML-native policies
  • Pattern-based matching with wildcards and anchors
  • Image verification and signature checking

Limitations

  • Requires a Kubernetes cluster with Kyverno installed
  • Only applicable to Kubernetes workloads — check out Semgrep or CodeQL for application source code, or Checkov for IaC static analysis

Generated Format

  • Language: YAML
  • Structure: Kyverno ClusterPolicy or Policy resources with validate/mutate rules
  • Execution: Applied to a K8s cluster via kubectl apply

Example Guardrail

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  rules:
    - name: run-as-non-root
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        failureAction: Enforce
        message: "Containers must run as non-root"
        pattern:
          spec:
            containers:
              - securityContext:
                  runAsNonRoot: true
Learn more at Kyverno documentation and writing policies.