> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Kyverno

> Kubernetes admission controller policies

## Overview

Kyverno validates and mutates Kubernetes resource manifests at admission time. Policies are written in YAML, making them accessible without learning a separate policy language.

## Capabilities

* Validate, mutate, generate, and clean up K8s resources
* YAML-native policies
* Pattern-based matching with wildcards and anchors
* Image verification and signature checking

## Limitations

* Requires a Kubernetes cluster with Kyverno installed
* Only applicable to Kubernetes workloads -- check out [Semgrep](/integrations/guardrails/semgrep) or [CodeQL](/integrations/guardrails/codeql) for application source code, or [Checkov](/integrations/guardrails/checkov) for IaC static analysis

## Generated Format

* **Language:** YAML
* **Structure:** Kyverno `ClusterPolicy` or `Policy` resources with `validate`/`mutate` rules
* **Execution:** Applied to a K8s cluster via `kubectl apply`

## Example Guardrail

```yaml theme={null}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  rules:
    - name: run-as-non-root
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        failureAction: Enforce
        message: "Containers must run as non-root"
        pattern:
          spec:
            containers:
              - securityContext:
                  runAsNonRoot: true
```

Learn more at [Kyverno documentation](https://kyverno.io/docs/) and [writing policies](https://kyverno.io/docs/writing-policies/).