🛠️ 開発・MCP コミュニティ
kyverno
Kubernetes環境におけるセキュリティポリシーの適用、リソースの自動設定、コンプライアンス遵守を、YAML形式のポリシーを用いて実現し、開発者の負担を軽減するSkill。
📜 元の英語説明(参考)
Expert guidance for Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
🇯🇵 日本人クリエイター向け解説
一言でいうと
Kubernetes環境におけるセキュリティポリシーの適用、リソースの自動設定、コンプライアンス遵守を、YAML形式のポリシーを用いて実現し、開発者の負担を軽減するSkill。
※ jpskill.com 編集部が日本のビジネス現場向けに補足した解説です。Skill本体の挙動とは独立した参考情報です。
⚡ おすすめ: コマンド1行でインストール(60秒)
下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。
🍎 Mac / 🐧 Linux
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o kyverno.zip https://jpskill.com/download/15049.zip && unzip -o kyverno.zip && rm kyverno.zip
🪟 Windows (PowerShell)
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/15049.zip -OutFile "$d\kyverno.zip"; Expand-Archive "$d\kyverno.zip" -DestinationPath $d -Force; ri "$d\kyverno.zip"完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。
💾 手動でダウンロードしたい(コマンドが難しい人向け)
- 1. 下の青いボタンを押して
kyverno.zipをダウンロード - 2. ZIPファイルをダブルクリックで解凍 →
kyvernoフォルダができる - 3. そのフォルダを
C:\Users\あなたの名前\.claude\skills\(Win)または~/.claude/skills/(Mac)へ移動 - 4. Claude Code を再起動
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-18
- 取得日時
- 2026-05-18
- 同梱ファイル
- 1
📖 Skill本文(日本語訳)
※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。
Kyverno — Kubernetes ネイティブポリシーエンジン
概要
Kyverno は、YAML ポリシーを使用してリソースを検証、変更、生成する Kubernetes ネイティブポリシーエンジンです (Rego は不要)。開発者がセキュリティポリシーを適用し、リソースのデフォルトを自動化し、Kubernetes クラスタ全体でコンプライアンスを確保するのに役立ちます。
手順
検証ポリシー
# すべてのコンテナにリソース制限を要求する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
annotations:
policies.kyverno.io/title: Require Resource Limits
policies.kyverno.io/severity: medium
spec:
validationFailureAction: Enforce # 非準拠リソースをブロック
background: true
rules:
- name: check-resource-limits
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "すべてのコンテナに CPU とメモリの制限を設定する必要があります。"
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
cpu: "?*"
---
# 特権コンテナを禁止する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: Enforce
rules:
- name: no-privileged
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "特権コンテナは許可されていません。"
pattern:
spec:
containers:
- securityContext:
privileged: "!true"
---
# latest タグを禁止する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "'latest' タグの使用は許可されていません。特定のバージョンに固定してください。"
pattern:
spec:
containers:
- image: "!*:latest"
---
# ラベルを要求する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds: ["Deployment", "StatefulSet"]
validate:
message: "リソースには 'team' と 'app' のラベルが必要です。"
pattern:
metadata:
labels:
team: "?*"
app: "?*"変更ポリシー
# すべての Pod にセキュリティのデフォルトを自動的に追加する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-security-defaults
spec:
rules:
- name: add-run-as-nonroot
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- (name): "*"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
---
# 指定されていない場合、リソースのデフォルトを自動的に追加する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-resources
spec:
rules:
- name: set-default-limits
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
resources:
limits:
+(memory): "512Mi" # + は、設定されていない場合にのみ追加することを意味します
+(cpu): "500m"
requests:
+(memory): "256Mi"
+(cpu): "100m"
---
# イメージプルシークレットを自動的に追加する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-pull-secret
spec:
rules:
- name: add-registry-secret
match:
any:
- resources:
kinds: ["Pod"]
preconditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value: ["ghcr.io/*", "myregistry.com/*"]
mutate:
patchStrategicMerge:
spec:
imagePullSecrets:
- name: registry-credentials生成ポリシー
# 新しい名前空間ごとに NetworkPolicy を自動的に作成する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-default-networkpolicy
spec:
rules:
- name: default-deny-ingress
match:
any:
- resources:
kinds: ["Namespace"]
generate:
synchronize: true # ポリシーが変更された場合、同期を維持する
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{ request.object.metadata.name }}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
---
# 名前空間の ResourceQuota を自動的に作成する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-quota
spec:
rules:
- name: default-quota
match:
any:
- resources:
kinds: ["Namespace"]
exclude:
any:
- resources:
namespaces: ["kube-system", "kyverno"]
generate:
apiVersion: v1
kind: ResourceQuota
name: default-quota
namespace: "{{ request.object.metadata.name }}"
data:
spec:
hard:
requests.cpu: "4"
requests.memory: "8Gi"
limits.cpu: "8"
limits.memory: "16Gi"
pods: "50"
イメージ署名の検証
# cosign 署名検証を強制する
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: verify-signature
mat📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開
Kyverno — Kubernetes Native Policy Engine
Overview
Kyverno, the Kubernetes-native policy engine that validates, mutates, and generates resources using YAML policies (no Rego required). Helps developers enforce security policies, automate resource defaults, and ensure compliance across Kubernetes clusters.
Instructions
Validation Policies
# Require resource limits on all containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
annotations:
policies.kyverno.io/title: Require Resource Limits
policies.kyverno.io/severity: medium
spec:
validationFailureAction: Enforce # Block non-compliant resources
background: true
rules:
- name: check-resource-limits
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "All containers must have CPU and memory limits set."
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
cpu: "?*"
---
# Disallow privileged containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
validationFailureAction: Enforce
rules:
- name: no-privileged
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Privileged containers are not allowed."
pattern:
spec:
containers:
- securityContext:
privileged: "!true"
---
# Disallow latest tag
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds: ["Pod"]
validate:
message: "Using 'latest' tag is not allowed. Pin to a specific version."
pattern:
spec:
containers:
- image: "!*:latest"
---
# Require labels
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds: ["Deployment", "StatefulSet"]
validate:
message: "Resources must have 'team' and 'app' labels."
pattern:
metadata:
labels:
team: "?*"
app: "?*"Mutation Policies
# Auto-add security defaults to all pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-security-defaults
spec:
rules:
- name: add-run-as-nonroot
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- (name): "*"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
---
# Auto-add resource defaults if not specified
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-resources
spec:
rules:
- name: set-default-limits
match:
any:
- resources:
kinds: ["Pod"]
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
resources:
limits:
+(memory): "512Mi" # + means only add if not set
+(cpu): "500m"
requests:
+(memory): "256Mi"
+(cpu): "100m"
---
# Auto-add image pull secrets
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-pull-secret
spec:
rules:
- name: add-registry-secret
match:
any:
- resources:
kinds: ["Pod"]
preconditions:
all:
- key: "{{ request.object.spec.containers[].image }}"
operator: AnyIn
value: ["ghcr.io/*", "myregistry.com/*"]
mutate:
patchStrategicMerge:
spec:
imagePullSecrets:
- name: registry-credentialsGeneration Policies
# Auto-create NetworkPolicy for every new namespace
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-default-networkpolicy
spec:
rules:
- name: default-deny-ingress
match:
any:
- resources:
kinds: ["Namespace"]
generate:
synchronize: true # Keep in sync if policy changes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{ request.object.metadata.name }}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
---
# Auto-create ResourceQuota for namespaces
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-quota
spec:
rules:
- name: default-quota
match:
any:
- resources:
kinds: ["Namespace"]
exclude:
any:
- resources:
namespaces: ["kube-system", "kyverno"]
generate:
apiVersion: v1
kind: ResourceQuota
name: default-quota
namespace: "{{ request.object.metadata.name }}"
data:
spec:
hard:
requests.cpu: "4"
requests.memory: "8Gi"
limits.cpu: "8"
limits.memory: "16Gi"
pods: "50"
Verify Image Signatures
# Enforce cosign signature verification
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
rules:
- name: verify-signature
match:
any:
- resources:
kinds: ["Pod"]
verifyImages:
- imageReferences:
- "ghcr.io/myorg/*"
attestors:
- entries:
- keyless:
subject: "https://github.com/myorg/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: "https://rekor.sigstore.dev"Installation
# Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# Install policy library
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security/...
# CLI (for testing policies locally)
brew install kyverno
kyverno apply policy.yaml --resource pod.yamlExamples
Example 1: Setting up Kyverno for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Kyverno for monitoring/deployment.The agent creates the necessary configuration files based on patterns like # Require resource limits on all containers, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting mutation policies issues
User request:
Kyverno is showing errors in our mutation policies. Here are the logs: [error output]The agent analyzes the error output, identifies the root cause by cross-referencing with common Kyverno issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- YAML, not Rego — Kyverno policies are pure YAML; lower barrier to entry than OPA/Gatekeeper for Kubernetes teams
- Audit before enforce — Start with
validationFailureAction: Auditto see violations without blocking; switch toEnforceonce clean - Mutate for defaults — Use mutation policies to inject security defaults; developers don't need to remember boilerplate
- Generate for consistency — Auto-create NetworkPolicies, ResourceQuotas, and RBAC for every namespace
- Image verification — Enforce cosign signature verification; prevent unsigned images from running in the cluster
- Policy library — Start with Kyverno's policy library (kyverno.io/policies); covers Pod Security Standards, best practices, and compliance
- Test with CLI — Use
kyverno applyandkyverno testlocally before deploying policies to the cluster - Exceptions via annotations — Use
policies.kyverno.io/excludeannotations for legitimate exceptions; document the reason