adaptive-enforcement-lab/kyverno-basics
plugins/enforce/skills/kyverno-basics/SKILL.md
Install Kyverno, create validation policies, and understand audit vs enforce modes for Kubernetes admission control.
testing
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills kyverno-basicsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 8:41 AM36.7s9 files scanned
SKILL.md
- name:
- kyverno-basics
- description:
- >-
Kyverno Basics
When to Use This Skill
Kyverno runs as a dynamic admission controller in Kubernetes. It validates, mutates, and generates resources based on policies written in YAML.
Implementation
Install Kyverno using Helm:
See examples.md for detailed code examples.
Kyverno creates webhook configurations that intercept resource creation/updates before they reach etcd.
Comparison
Roll out policies in audit mode first:
spec:
validationFailureAction: Audit # Log violations, don't block
Check logs for violations:
kubectl get policyreport -A
NAMESPACE NAME PASS FAIL WARN ERROR SKIP
default polr-ns-default 12 3 0 0 0
production polr-ns-production 45 1 0 0 0
Fix violations. Then switch to Enforce:
spec:
validationFailureAction: Enforce # Block violations
Gradual Rollout Strategy
- Deploy policy in
Auditmode - Monitor PolicyReports for 1 week
- Remediate failures
- Switch to
Enforcemode - Handle exceptions with exclusions
Don't deploy straight to Enforce. Discover violations first.
Examples
See examples.md for code examples.
Related Patterns
- Policy Patterns
- Testing and Exceptions
- CI/CD Integration
References
- Source Documentation
- AEL Enforce
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026