Skip to main content
Policies enforce security, compliance, and best practices across your Kubernetes clusters. They validate resource configurations, prevent misconfigurations, and ensure consistency across environments—helping you catch issues before they reach production. Skyhook leverages Kyverno, a Kubernetes-native policy engine, to provide policy management through GitOps. Kyverno validates, mutates, and generates Kubernetes resources, and Skyhook provides a web interface for managing these policies across all your clusters.

Prerequisites

Before using Kyverno policies, ensure you have:
  • ArgoCD installed: Required for GitOps-based policy deployment. See GitOps with ArgoCD for setup instructions.
  • At least one connected cluster: Policies deploy to clusters connected to Skyhook.

Installing Kyverno

Kyverno is delivered as a GitOps addon. Installing it creates the required manifests in your GitOps repository and syncs them to your clusters via ArgoCD.

Step 1: Verify ArgoCD Installation

  1. Go to Settings > GitOps
  2. Confirm that ArgoCD shows as Installed and Healthy
  3. If not installed, follow the setup instructions in GitOps with ArgoCD

Step 2: Open the Kyverno Addon Page

Access the Kyverno addon configuration through either path:
  • From Dashboard: Navigate to Dashboard > Addons > Kyverno and click Install Kyverno
  • From Settings: Navigate to Settings > Infrastructure > Kyverno
Both paths open the same configuration page.

Step 3: Enable Kyverno on Clusters

On the Kyverno addon page:
  1. View the list of connected clusters with their addon configuration
  2. For each cluster where you want Kyverno, set enabled: true using the UI toggle or YAML editor
  3. Click Save / Apply to commit the configuration
Skyhook then:
  • Updates the Kyverno addon values in your GitOps repository
  • Creates a pull request if your organization uses PR-based changes
  • Relies on ArgoCD to sync the Kyverno resources to your clusters

Step 4: Verify Installation

Once changes are applied:
  1. Return to the Kyverno addon page or the Kyverno card on the Dashboard
  2. Verify:
    • Installed / Not Installed status for Kyverno
    • The number of clusters where Kyverno is enabled
If the status remains pending for a long time, check the ArgoCD sync status for the Kyverno application and review the GitOps PR status if changes are PR-based.

Accessing Policies

Once Kyverno is installed and enabled:
  • Go to Settings > Policies to see all Kyverno policies across your organization
  • Alternatively, use Settings > Infrastructure > Kyverno to access the Kyverno configuration and policy view

Policy List

The policy list displays all deployed Kyverno policies across clusters with the Kyverno addon enabled.

Table Columns

ColumnDescription
Policy NameUnique identifier of the policy
TypeValidation, Mutation, Generation, or ImageVerification
CategorySecurity, BestPractices, Compliance, or Custom
ModeAudit (report only) or Enforce (block violations)
ScopeCluster-wide or Namespaced
ClusterTarget cluster(s) - shows “All Clusters” for base-level policies
Last UpdatedWhen the policy was last modified
StatusActive or Inactive based on Kyverno addon status

Filtering Policies

Use the filter dropdowns to narrow down the policy list:
  • Type: Filter by policy type (Validation, Mutation, Generation, ImageVerification)
  • Category: Filter by category (Security, BestPractices, Compliance, Custom)
  • Mode: Filter by enforcement mode (Audit or Enforce)
  • Cluster: Filter by specific cluster
  • Namespace: Filter by namespace (for namespaced policies)
Use the search box to find policies by name or category.

Understanding “All Clusters”

Policies shown with “All Clusters” in the Cluster column are base-level policies that apply across all clusters where Kyverno is enabled. These are defined once and deployed to all clusters automatically.

Adding a New Policy

Click Add Policy to create a new policy.

Step 1: Select Template or Custom

Choose how to create your policy:
  • Using a Template
  • Custom YAML
  1. Select the Use Template tab
  2. Browse available templates by category and type
  3. Click on a template to select it
Templates include pre-configured policies for common use cases like:
  • Requiring resource limits on pods
  • Blocking privileged containers
  • Enforcing image pull policies
  • Requiring specific labels or annotations

Step 2: Configure Policy Settings

  1. Policy Scope: Choose between ClusterPolicy (cluster-wide) or Namespaced Policy
  2. Enforcement Mode:
    • Audit: Violations are reported but not blocked
    • Enforce: Violations are blocked
  3. Review the YAML preview

Step 3: Select Target Clusters

  1. Select target clusters for deployment
  2. For namespaced policies, select specific namespaces within each cluster
  3. Use the search box to find clusters by name, provider, or region

Step 4: Create the Policy

Click Create Policy to generate a pull request with your policy changes. Once the PR is merged, ArgoCD deploys the policy.

Policy Details

Click on any policy in the list to open the details drawer.

Overview Tab

  • Enforcement Mode: Toggle between Audit and Enforce modes (click Apply after changing to create a PR with the update)
  • Metadata: Policy name, namespace, and status
  • Target Resources: Kubernetes resources the policy applies to

Rules Tab

View individual rules within the policy:
  • Rule name and type
  • Match conditions
  • Exclude conditions
  • Rule logic

YAML Tab

View the complete policy YAML definition.

Managing Clusters

Click Manage Clusters to configure which clusters have Kyverno enabled. This opens the Kyverno addon configuration page where you can:
  • Enable/disable Kyverno on specific clusters
  • Configure Kyverno addon settings
  • View installation status

GitOps Workflow

All policy changes follow a GitOps workflow:
  1. Create/Modify Policy: Use the UI to create or update policies
  2. Pull Request: A PR is automatically created with your changes
  3. Review & Merge: Review the PR and merge when ready
  4. Automatic Deployment: ArgoCD syncs the changes to your clusters

Observing Policy Effects

Once policies are deployed, observe their effects in several places.

In the Skyhook UI

  • Policy Status: In Settings > Policies, each policy shows its Mode (Audit/Enforce), Scope, Cluster, and Status
  • Addon Status: On the Kyverno addon page, verify the list of clusters where Kyverno is enabled and healthy

In Kubernetes Events

On clusters where Kyverno is enabled, policy activity appears in Kubernetes events: Admission events / rejections: When a policy is in Enforce mode and blocks a resource, the API server returns a validation error. View these failures in:
  • kubectl output when applying manifests
  • Cluster events for the affected resource
# View events for a specific resource
kubectl get events -A --field-selector involvedObject.name=<RESOURCE_NAME>

# Describe a resource to see related events
kubectl describe <KIND> <NAME> -n <NAMESPACE>
Look for messages that reference Kyverno or specific Kyverno rule names.

Policy Reports

If your Kyverno installation is configured to produce PolicyReport or ClusterPolicyReport resources: 
# List policy reports
kubectl get policyreport -A
kubectl get clusterpolicyreport

# View details of a specific report
kubectl describe policyreport <NAME> -n <NAMESPACE>
Policy reports provide a history of policy evaluations (both successes and failures), complementing real-time Kubernetes events.

Best Practices

Start with Audit Mode

Test new policies in Audit mode before enforcing to understand their impact without blocking workloads.

Use Templates

Leverage pre-built templates for common security and compliance policies rather than writing from scratch.

Target Specific Resources

Be specific about which resources a policy applies to. Overly broad policies can cause unexpected blocks.

Review Before Merging

Always review the generated PR before merging. Verify the policy YAML and target clusters are correct.

Troubleshooting

Kyverno policy management requires ArgoCD for GitOps deployment.Solution: Visit Settings > GitOps to install and configure ArgoCD. Follow the setup wizard to complete the installation.
Policies appear inactive when Kyverno is not enabled on the target cluster.Solution: Enable Kyverno on the cluster through the addon settings:
  1. Go to Settings > Infrastructure > Kyverno
  2. Enable Kyverno on the affected cluster
  3. Wait for ArgoCD to sync the changes
If no namespaces appear when creating a namespaced policy:Check:
  • The cluster is connected and accessible
  • Namespaces exist in the target cluster
  • You have permissions to list namespaces
Verify connectivity:
kubectl get namespaces --context <cluster-context>
If a policy is deployed but not validating resources:Check:
  1. Verify the policy is in Enforce mode (Audit mode only reports, doesn’t block)
  2. Confirm the policy matches the target resources (check match conditions in the YAML)
  3. Review Kyverno controller logs: 
    kubectl logs -n kyverno -l app.kubernetes.io/name=kyverno
  4. Check if the resource was created before the policy was applied (policies only affect new resources by default)

Next Steps