adaptive-enforcement-lab/runtime-deployment-admission-control-with-kyverno
plugins/enforce/skills/runtime-deployment-admission-control-with-kyverno/SKILL.md
Deploy Kyverno admission control as final safety net before production. Install admission webhooks, policy reporters, and continuous compliance background scans.
development
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills runtime-deployment-admission-control-with-kyvernoInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 10:44 AM36.8s12 files scanned
SKILL.md
- name:
- runtime-deployment-admission-control-with-kyverno
- description:
- >-
Runtime Deployment: Admission Control with Kyverno
When to Use This Skill
Runtime admission control enforces policies at the cluster level using Kyverno admission webhooks:
graph TD
K[kubectl apply] --> API[Kubernetes API Server]
API --> ADM[Admission Controller]
ADM --> KYV[Kyverno Webhook]
KYV --> POL{Policy Check}
POL -->|Pass| ETCD[(etcd)]
POL -->|Fail| REJECT[Reject Request]
%% Ghostty Hardcore Theme
style ETCD fill:#a7e22e,color:#1b1d1e
style REJECT fill:#f92572,color:#1b1d1e
Runtime is the Final Safety Net
Local dev and CI checks can be bypassed. Runtime admission control is the last line of defense. If it fails, non-compliant resources never reach production.
Implementation
Kyverno Deployment
Deploy Kyverno using Helm:
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno \
--namespace kyverno \
--create-namespace \
--values kyverno-values.yaml
kyverno-values.yaml:
See examples.md for detailed code examples.
Background Scan Interval
Set
backgroundScanIntervalto 6h for most clusters. Reduce to 1h for high-compliance environments. Increase to 12h for large clusters (1000+ nodes).
Policy Reporter Deployment
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
helm install policy-reporter policy-reporter/policy-reporter \
--namespace policy-reporter \
--create-namespace \
--values policy-reporter-values.yaml
policy-reporter-values.yaml:
See examples.md for detailed code examples.
Policy Reporter UI
Access the dashboard with
kubectl port-forward -n policy-reporter svc/policy-reporter-ui 8080:8080. Navigate to http://localhost:8080.
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
References
- Source Documentation
- AEL Enforce
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026