Usage

Overview

Kyverno MCP serves two primary use cases that address different stages of the Kubernetes policy management lifecycle. Whether you’re proactively assessing cluster security or monitoring existing policy deployments, these scenarios demonstrate how to leverage Kyverno MCP effectively.

Scenario 1: Proactive Assessment

In this scenario, Kyverno is not installed on your clusters. You can use the Kyverno MCP server to scan cluster resources with recommended or custom policy sets.

The Challenge

“As a DevOps engineer, I want to scan my Kubernetes clusters for policy violations and assess their security posture without needing to install Kyverno or deploy policies to the cluster.”

Organizations often need to:

• Evaluate security risks in existing clusters
• Understand policy implications before deployment
• Establish baseline security requirements
• Get guidance on Kyverno installation and configuration

How Kyverno MCP Helps

1. Policy Scanning and Assessment

Test cluster resources against curated policy sets to discover potential security issues:

Apply pod security policies to my development cluster

This command will:

• Scan existing cluster resources against security policies using kyverno apply
• Identify resources that would violate the Kubernetes Pod Security Standards
• Provide immediate, non-persistent violation reports to stdout
• Work without requiring Kyverno to be installed in the cluster

2. Multi-Environment Evaluation

Scan security posture across different environments:

Switch to staging-cluster and scan my cluster for default policies violations

3. Installation Guidance

Get contextual guidance for Kyverno deployment:

Show me how to install Kyverno in my cluster

Benefits

• Risk-free scanning: Test policies against existing resources without affecting running workloads
• No infrastructure changes: Scan clusters without installing Kyverno or deploying policies
• Informed decisions: Understand policy impact before committing to actual deployment
• Guided implementation: Get step-by-step installation guidance for full policy enforcement
• Baseline establishment: Create security standards across environments

Example Workflow

1. Initial Assessment

   List my available Kubernetes contexts
   

2. Environment Selection

   Switch to development-cluster
   

3. Policy Scanning and Impact Analysis

   Scan my cluster for default policies violations
   

4. Implementation Planning

   Show me how to install Kyverno and deploy policies for enforcement
   

Moving from Scanning to Enforcement

After using the MCP tool to scan your cluster and understand policy violations, actual policy deployment requires:

1. Install Kyverno in your cluster (using Kyverno Installation)
2. Deploy policies using standard Kubectl apply command (kubectl apply)
3. Monitor violations using the show_violations tool to read PolicyReport custom resources (PolicyReport)

NOTE: The MCP tool provides scanning capabilities but does not deploy policies to your cluster. Policy deployment is handled through standard Kubernetes deployment methods.

Scenario 2: Compliance Monitoring & Violation Analysis

In this scenario, Kyverno is installed on your clusters, along with one or more policy sets. You can use the Kyverno MCP server to manage policy violations.

The Challenge

“As a security engineer, I want to monitor compliance across my Kubernetes clusters that already have Kyverno installed and policies deployed, and get current violation reports from PolicyReport resources.”

Security teams need to:

• Monitor ongoing policy compliance
• Quickly identify and prioritize violations
• Generate compliance reports
• View current security posture

Prerequisites for This Scenario

• Kyverno installed in the cluster
• Policies deployed using kubectl apply -f <policy.yaml>
• PolicyReport custom resources being generated by deployed policies

How Kyverno MCP Helps

1. Current Violation Monitoring

Read PolicyReport custom resources to get visibility into active policy violations:

Show me all policy violations in the production namespace

This provides:

• Detailed violation information: Policy name, affected resource, severity level from PolicyReport CRs
• Contextual data: Namespace, timestamps, and descriptive messages
• Prioritized results: Violations grouped by severity (high, medium, low)
• Current state snapshot: Shows violations as they exist now in the cluster

Note: The tool provides current violation snapshots only. It does not:

• Track historical violation trends over time
• Show which policy set (e.g., kubernetes-best-practices) violations belong to
• Provide aggregation by namespace or other dimensions
• Access PolicyReport creation metadata

2. Filtered Analysis

Focus on specific areas of concern:

Show me high-severity violations in the production namespace

3. Multi-Cluster Compliance

Monitor compliance across multiple environments:

Compare policy violations between staging and production clusters

Benefits

• Immediate visibility: Real-time access to current violation data
• Actionable insights: Detailed information for remediation
• Current state monitoring: View existing policy violations
• Efficient prioritization: Focus on high-impact violations first

Example Workflow

1. Daily Compliance Check

   Show me all policy violations in the cluster
   

2. Priority Assessment

   Show me all high-severity violations
   

3. Namespace-Specific Analysis

   Show policy violations in the production namespace
   

4. Cross-Environment Comparison

   Switch to staging-cluster and show me policy violations
   

5. Policy-Specific Violations

   Show me violations for the require-resource-limits policy
   

Sample Violation Report

{
  "violations": [
    {
      "policy": "disallow-privileged-containers",
      "resource": "pod/webapp-xyz",
      "namespace": "production",
      "severity": "high",
      "message": "Privileged containers are not allowed",
      "timestamp": "2024-01-15T10:30:00Z"
    },
    {
      "policy": "require-resource-limits",
      "resource": "deployment/backend",
      "namespace": "staging",
      "severity": "medium",
      "message": "Container 'api' does not have resource limits set"
    }
  ],
  "summary": {
    "total": 2,
    "high": 1,
    "medium": 1,
    "low": 0
  }
}

Advanced Scenarios

Multi-Cluster Security Governance

Scenario: Managing security policies across development, staging, and production environments.

For each of my clusters:
1. Switch to the cluster context
2. Scan my cluster for default policies violations
3. Show me any new violations
4. Generate a compliance summary

Policy Impact Assessment

Scenario: Understanding the impact of new policies before enforcement.

1. Apply the new network security policies
2. Show me what violations would occur
3. Identify affected applications
4. Plan remediation strategy

Best Practices

1. Start with Assessment

Always begin with a security assessment before applying policies:

Show me existing policy violations in my cluster

2. Test Policy Impact

Test policies to understand their impact on existing resources:

Apply pod security policies to explain their impact

3. Context Awareness

Always verify the current context:

What Kubernetes context am I currently using?

Integration with Existing Workflows

DevOps Integration

• Pre-deployment checks: Assess security before new deployments
• Policy validation: Test policies in development environments
• Compliance gates: Integrate with CI/CD pipelines

Security Operations

• Daily monitoring: Regular violation checks
• Incident response: Quick identification of security issues
• Audit preparation: Generate compliance reports

Platform Engineering

• Cluster standardization: Consistent security policies across environments
• Developer guidance: Provide security best practices
• Policy evolution: Continuous improvement of security posture

Next Steps

• Learn about Available Tools for detailed tool documentation
• Explore Configuration Options for advanced setup
• Review Security Best Practices for production deployment
• Check Troubleshooting Guide for common issues