Policy Settings

Common configuration for all rules in a policy.

A policy contains one or more rules, and the following common settings which apply to all rules in the policy:

validationFailureAction: controls if a validation policy rule failure should block the admission review request (enforce) or allow (audit) the admission review request and report the policy failure in a policy report. Defaults to audit.
validationFailureActionOverrides: a ClusterPolicy attribute that specifies validationFailureAction Namespace-wise. It overrides validationFailureAction for the specified Namespaces.
background: controls if rules are applied to existing resources during a background scan. Defaults to “true”.
schemaValidation: controls whether policy validation checks are applied. Defaults to “true”. Kyverno will attempt to validate the schema of a policy and fail if it cannot determine it satisfies the OpenAPI schema definition for that resource. Can occur on either validate or mutate policies. Set to “false” to skip schema validation.
failurePolicy: defines the API server behavior if the webhook fails to respond. Allowed values are “Ignore” or “Fail”. Defaults to “Fail”.
webhookTimeoutSeconds: specifies the maximum time in seconds allowed to apply this policy. The default timeout is 10s. The value must be between 1 and 30 seconds.

Use kubectl explain policy.spec for command-line help on the policy schema.

Last modified February 19, 2022 at 10:24 AM PST: [main] 1.6 updates (#477) (bc4c364)