Kyverno Blocked Your Pod: Read the Policy Layer First
Admission denied by Kyverno is not a bug — it's a policy decision. Find the policy name, rule, and PolicyReport before bypassing admission.
kubectl apply -f deploy.yamlError from server: admission webhook "validate.kyverno.svc" denied the request:
validation error: label app.kubernetes.io/name is requiredThe developer says the manifest is fine. The cluster disagrees.
Your job is not to win the argument — it is to map denial → policy → fix.
The investigation order
- Read the full denial message — policy name and rule are often in the error text
kubectl get policyreport -n <ns>— pass/fail/warn for existing resourceskubectl get cpol,pol -A— open the policy spec for match blocks and validate rules
kubectl get policyreport -A
kubectl describe clusterpolicy require-labelsOnly after you understand the rule should you change the workload, add an exception, or adjust the policy.
Validate vs mutate vs generate
| Rule type | When it runs | Typical mistake |
|---|---|---|
| validate | Create/update admission | Bypass with `--validate=false` |
| mutate | Create/update admission | Expect changes on existing pods without restart |
| generate | Trigger resource events | Forget controller RBAC for created objects |
Background audit policies can report fail on Running pods — that is not the same as enforce blocking new creates.
Traps that weaken security
kubectl apply --validate=false— hides the fix; use only after you know the violation- Disable Kyverno webhooks cluster-wide — breaks every policy, not one namespace
- Cluster-admin bind as quick fix — RBAC on the app is separate from admission policy
Prefer scoped PolicyException with expiry over turning off enforce globally.
Practice policy decisions
The Kyverno Policies path covers blocked pods, mutate misses, generate rules, PolicyReports, and webhook timeouts — four-option scenarios graded on your first step.
Included in the Platform & Policy Pack alongside Helm, Kustomize, and Argo CD.