Chapter 5. Kyverno

Run the test

make kyverno-install
make kyverno-apply
make kyverno-policy-test

This attempts to apply infra/k8s/bad/deploy-bad.yaml and saves the exact kubectl error output to artifacts/policy-tests.txt.

How to read the output

A typical rejection looks like:

Eapprdoormlvrlvroiiaeiaersclsclssyioyiofidudurodarearonitcntcmsiefiewao:oo:selnrneblDcDrhoeeeeevowrp-rpeo-rlprlrklooooo:arydry"t:m-:meveeserasDneHnrltotcatoi-/ur/rdtnsrdsaaohiehwtgtitnihespype.,u/-cnksbbbyreaanacvudstdrel:-ia-erelaciaanapsnptontp,epi.oe,r,ns-srsgvltfu:fcaili""tieenedemloledsadrndpetg:e-:ln:eqroisuosyetpiop-daertebgce,cats.-.dh.tsnt.eeeoeymcmarpcppmelorllqania"uttvt:eeeies.xl.tstes:p:gpeeecc.e.cscoconantltaaaitinineoernrs,s[[0r0]e].a.idsm-eaocgnuelryitryoCootntFeSx.t

Map the pieces:

  • policy → which file in policies/ matched
  • rule → rule name in that file
  • validation error → the message you wrote in the policy
  • resource → kind/namespace/name that failed
  • field → the exact path to fix

Evidence tip

Attach artifacts/policy-tests.txt to your PR (or include it in the evidence zip). Reviewers see which policy blocked which field and why.

Checklist

  • Bad manifest rejected
  • Evidence saved to artifacts/policy-tests.txt
  • You can point to the exact field to change