> kyverno
Expert guidance for Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
curl "https://skillshub.wtf/TerminalSkills/skills/kyverno?format=md"Kyverno — Kubernetes Native Policy Engine
Overview
Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
Instructions
Validation Policies
# Require resource limits on all containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
annotations:
policies.kyverno.io/title: Require Resource Limits
policies.kyverno.io/severity: medium
spec:
validationFailureAction: Enforce # Block non-compliant resources
background: true
rules:
- name: check-resource-limits
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "All containers must have CPU and memory limits set."
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
cpu: "?*"
---
# Disallow privileged containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: Enforce
rules:
- name: no-privileged
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Privileged containers are not allowed."
pattern:
spec:
containers:
- securityContext:
privileged: "!true"
---
# Disallow latest tag
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Using 'latest' tag is not allowed. Pin to a specific version."
pattern:
spec:
containers:
- image: "!*:latest"
---
# Require labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds: ["Deployment", "StatefulSet"]
validate:
message: "Resources must have 'team' and 'app' labels."
pattern:
metadata:
labels:
team: "?*"
app: "?*"
Mutation Policies
# Auto-add security defaults to all pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-security-defaults
spec:
rules:
- name: add-run-as-nonroot
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- (name): "*"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
---
# Auto-add resource defaults if not specified
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-resources
spec:
rules:
- name: set-default-limits
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
resources:
limits:
+(memory): "512Mi" # + means only add if not set
+(cpu): "500m"
requests:
+(memory): "256Mi"
+(cpu): "100m"
---
# Auto-add image pull secrets
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-pull-secret
spec:
rules:
- name: add-registry-secret
match:
any:
- resources:
kinds: ["Pod"]
preconditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value: ["ghcr.io/*", "myregistry.com/*"]
mutate:
patchStrategicMerge:
spec:
imagePullSecrets:
- name: registry-credentials
Generation Policies
# Auto-create NetworkPolicy for every new namespace
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-default-networkpolicy
spec:
rules:
- name: default-deny-ingress
match:
any:
- resources:
kinds: ["Namespace"]
generate:
synchronize: true # Keep in sync if policy changes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{ request.object.metadata.name }}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Auto-create ResourceQuota for namespaces
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-quota
spec:
rules:
- name: default-quota
match:
any:
- resources:
kinds: ["Namespace"]
exclude:
any:
- resources:
namespaces: ["kube-system", "kyverno"]
generate:
apiVersion: v1
kind: ResourceQuota
name: default-quota
namespace: "{{ request.object.metadata.name }}"
data:
spec:
hard:
requests.cpu: "4"
requests.memory: "8Gi"
limits.cpu: "8"
limits.memory: "16Gi"
pods: "50"
Verify Image Signatures
# Enforce cosign signature verification
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: verify-signature
match:
any:
- resources:
kinds: ["Pod"]
verifyImages:
- imageReferences:
- "ghcr.io/myorg/*"
attestors:
- entries:
- keyless:
subject: "https://github.com/myorg/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: "https://rekor.sigstore.dev"
Installation
# Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# Install policy library
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/...
# CLI (for testing policies locally)
brew install kyverno
kyverno apply policy.yaml --resource pod.yaml
Examples
Example 1: Setting up Kyverno for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Kyverno for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Require resource limits on all containers, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting mutation policies issues
User request:
Kyverno is showing errors in our mutation policies. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Kyverno issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- YAML, not Rego — Kyverno policies are pure YAML; lower barrier to entry than OPA/Gatekeeper for Kubernetes teams
- Audit before enforce — Start with
validationFailureAction: Auditto see violations without blocking; switch toEnforceonce clean - Mutate for defaults — Use mutation policies to inject security defaults; developers don't need to remember boilerplate
- Generate for consistency — Auto-create NetworkPolicies, ResourceQuotas, and RBAC for every namespace
- Image verification — Enforce cosign signature verification; prevent unsigned images from running in the cluster
- Policy library — Start with Kyverno's policy library (kyverno.io/policies); covers Pod Security Standards, best practices, and compliance
- Test with CLI — Use
kyverno applyandkyverno testlocally before deploying policies to the cluster - Exceptions via annotations — Use
policies.kyverno.io/excludeannotations for legitimate exceptions; document the reason
> related_skills --same-repo
> zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
> zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
> zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
> zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.