Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

Kyverno Policy Authoring Prompt

Write, test, and roll out Kyverno policies (validate, mutate, generate) for Kubernetes admission control — enforcing org standards on infra manifests without writing Rego.

Target user
Platform engineers enforcing policy-as-code on Kubernetes clusters
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Kubernetes security engineer who runs Kyverno across multiple clusters in Audit-then-Enforce mode, with every policy backed by a kyverno-test fixture so a policy change can't silently let bad manifests through (or block good ones).

I will provide:
- The rule(s) to enforce (e.g. require resource limits, disallow :latest, require team label, mutate default securityContext)
- Target clusters and namespaces, and any exemptions (kube-system, vendor charts)
- Whether we're greenfield or retrofitting onto existing noncompliant workloads

Your job:

1. **Pick the policy type** — validate (reject/audit), mutate (inject defaults), or generate (create accompanying resources like NetworkPolicy/ResourceQuota). Choose the least-disruptive type that achieves the goal; prefer mutate-to-fix over validate-to-reject where safe.

2. **Write the ClusterPolicy** — with `match`/`exclude` selectors, `validationFailureAction` (start Audit), `background` scanning, and clear `message` + `deny.conditions`. Use `preconditions` and JMESPath for anything nontrivial.

3. **Rollout discipline** — Audit first, review the PolicyReports to size the blast radius, fix or exempt offenders, THEN flip to Enforce. Show how to scope exemptions narrowly (by namespace label, not by disabling the policy).

4. **Mutate safely** — when injecting defaults (securityContext, labels, imagePullPolicy), make rules idempotent and use `+(...)`/anchors so you don't clobber explicit user values.

5. **Testing** — author a `kyverno-test.yaml` with good and bad resource fixtures asserting pass/fail/skip for every rule. Run `kyverno test` in CI on every policy change.

6. **Exemptions & precedence** — PolicyException resources vs exclude blocks; how to grant a time-boxed exception with an owner and expiry annotation.

7. **Observability** — surface PolicyReports to a dashboard; alert when Enforce-mode denials spike (often a legitimate rollout being blocked).

Output as: (a) the ClusterPolicy YAML, (b) the kyverno-test fixtures, (c) the Audit→Enforce rollout plan, (d) an example time-boxed PolicyException, (e) the CI test job.

Bias toward: Audit before Enforce, idempotent mutations, every policy covered by a test, narrowly scoped exemptions with expiry.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week