Usage
Overview
Kyverno MCP serves two primary use cases that address different stages of the Kubernetes policy management lifecycle. Whether you’re proactively assessing cluster security or monitoring existing policy deployments, these scenarios demonstrate how to leverage Kyverno MCP effectively.
Scenario 1: Proactive Assessment
In this scenario, Kyverno is not installed on your clusters. You can use the Kyverno MCP server to scan cluster resources with recommended or custom policy sets.
The Challenge
“As a DevOps engineer, I want to scan my Kubernetes clusters for policy violations and assess their security posture without needing to install Kyverno or deploy policies to the cluster.”
Organizations often need to:
- Evaluate security risks in existing clusters
- Understand policy implications before deployment
- Establish baseline security requirements
- Get guidance on Kyverno installation and configuration
How Kyverno MCP Helps
1. Policy Scanning and Assessment
Test cluster resources against curated policy sets to discover potential security issues:
Apply pod security policies to my development cluster
This command will:
- Scan existing cluster resources against security policies using
kyverno apply
- Identify resources that would violate the Kubernetes Pod Security Standards
- Provide immediate, non-persistent violation reports to stdout
- Work without requiring Kyverno to be installed in the cluster
2. Multi-Environment Evaluation
Scan security posture across different environments:
Switch to staging-cluster and scan my cluster for default policies violations
3. Installation Guidance
Get contextual guidance for Kyverno deployment:
Show me how to install Kyverno in my cluster
Benefits
- Risk-free scanning: Test policies against existing resources without affecting running workloads
- No infrastructure changes: Scan clusters without installing Kyverno or deploying policies
- Informed decisions: Understand policy impact before committing to actual deployment
- Guided implementation: Get step-by-step installation guidance for full policy enforcement
- Baseline establishment: Create security standards across environments
Example Workflow
-
Initial Assessment
List my available Kubernetes contexts
-
Environment Selection
Switch to development-cluster
-
Policy Scanning and Impact Analysis
Scan my cluster for default policies violations
-
Implementation Planning
Show me how to install Kyverno and deploy policies for enforcement
Moving from Scanning to Enforcement
After using the MCP tool to scan your cluster and understand policy violations, actual policy deployment requires:
- Install Kyverno in your cluster (using Kyverno Installation)
- Deploy policies using standard Kubectl apply command (kubectl apply)
- Monitor violations using the
show_violations
tool to read PolicyReport custom resources (PolicyReport)
NOTE: The MCP tool provides scanning capabilities but does not deploy policies to your cluster. Policy deployment is handled through standard Kubernetes deployment methods.
Scenario 2: Compliance Monitoring & Violation Analysis
In this scenario, Kyverno is installed on your clusters, along with one or more policy sets. You can use the Kyverno MCP server to manage policy violations.
The Challenge
“As a security engineer, I want to monitor compliance across my Kubernetes clusters that already have Kyverno installed and policies deployed, and get current violation reports from PolicyReport resources.”
Security teams need to:
- Monitor ongoing policy compliance
- Quickly identify and prioritize violations
- Generate compliance reports
- View current security posture
Prerequisites for This Scenario
- Kyverno installed in the cluster
- Policies deployed using
kubectl apply -f <policy.yaml>
- PolicyReport custom resources being generated by deployed policies
How Kyverno MCP Helps
1. Current Violation Monitoring
Read PolicyReport custom resources to get visibility into active policy violations:
Show me all policy violations in the production namespace
This provides:
- Detailed violation information: Policy name, affected resource, severity level from PolicyReport CRs
- Contextual data: Namespace, timestamps, and descriptive messages
- Prioritized results: Violations grouped by severity (high, medium, low)
- Current state snapshot: Shows violations as they exist now in the cluster
Note: The tool provides current violation snapshots only. It does not:
- Track historical violation trends over time
- Show which policy set (e.g., kubernetes-best-practices) violations belong to
- Provide aggregation by namespace or other dimensions
- Access PolicyReport creation metadata
2. Filtered Analysis
Focus on specific areas of concern:
Show me high-severity violations in the production namespace
3. Multi-Cluster Compliance
Monitor compliance across multiple environments:
Compare policy violations between staging and production clusters
Benefits
- Immediate visibility: Real-time access to current violation data
- Actionable insights: Detailed information for remediation
- Current state monitoring: View existing policy violations
- Efficient prioritization: Focus on high-impact violations first
Example Workflow
-
Daily Compliance Check
Show me all policy violations in the cluster
-
Priority Assessment
Show me all high-severity violations
-
Namespace-Specific Analysis
Show policy violations in the production namespace
-
Cross-Environment Comparison
Switch to staging-cluster and show me policy violations
-
Policy-Specific Violations
Show me violations for the require-resource-limits policy
Sample Violation Report
{
"violations": [
{
"policy": "disallow-privileged-containers",
"resource": "pod/webapp-xyz",
"namespace": "production",
"severity": "high",
"message": "Privileged containers are not allowed",
"timestamp": "2024-01-15T10:30:00Z"
},
{
"policy": "require-resource-limits",
"resource": "deployment/backend",
"namespace": "staging",
"severity": "medium",
"message": "Container 'api' does not have resource limits set"
}
],
"summary": {
"total": 2,
"high": 1,
"medium": 1,
"low": 0
}
}
Advanced Scenarios
Multi-Cluster Security Governance
Scenario: Managing security policies across development, staging, and production environments.
For each of my clusters:
1. Switch to the cluster context
2. Scan my cluster for default policies violations
3. Show me any new violations
4. Generate a compliance summary
Policy Impact Assessment
Scenario: Understanding the impact of new policies before enforcement.
1. Apply the new network security policies
2. Show me what violations would occur
3. Identify affected applications
4. Plan remediation strategy
Best Practices
1. Start with Assessment
Always begin with a security assessment before applying policies:
Show me existing policy violations in my cluster
2. Test Policy Impact
Test policies to understand their impact on existing resources:
Apply pod security policies to explain their impact
3. Context Awareness
Always verify the current context:
What Kubernetes context am I currently using?
Integration with Existing Workflows
DevOps Integration
- Pre-deployment checks: Assess security before new deployments
- Policy validation: Test policies in development environments
- Compliance gates: Integrate with CI/CD pipelines
Security Operations
- Daily monitoring: Regular violation checks
- Incident response: Quick identification of security issues
- Audit preparation: Generate compliance reports
Platform Engineering
- Cluster standardization: Consistent security policies across environments
- Developer guidance: Provide security best practices
- Policy evolution: Continuous improvement of security posture
Next Steps
- Learn about Available Tools for detailed tool documentation
- Explore Configuration Options for advanced setup
- Review Security Best Practices for production deployment
- Check Troubleshooting Guide for common issues