kyverno · villadalmine · Apr 3, 2025 · Oct 27, 2025
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ Anyone and everyone is welcome to write and contribute Kyverno policies! We have
 
 * Provide test resources (where possible) which allow your policy to be validated using the Kyverno CLI. See an example of a complete policy, resource, and test [here](https://github.com/kyverno/policies/tree/main/pod-security/baseline/disallow-capabilities). If unfamiliar with the Kyverno CLI and its test ability, please see the documentation [here](https://kyverno.io/docs/testing-policies/).
 
-* For `validate` rules, please set `validationFailureAction: Audit` so that should a user download and apply the policy without having a yet full understanding of Kyverno, it will not cause unintended harm to their environment by blocking resources.
+* For `validate` rules, please set `failureAction: Audit` so that should a user download and apply the policy without having a yet full understanding of Kyverno, it will not cause unintended harm to their environment by blocking resources.
 
 * String values do not need to be quoted nor do values which contain JMESPath expressions such as `{{request.operation}}`. The exception is if a field's value is *only* such an expression. In those cases, the JMESPath expression needs to be double quoted.
 
@@ -59,10 +59,11 @@ metadata:
     policies.kyverno.io/description: >-
       Adding capabilities beyond those listed in the policy must be disallowed.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: my-rule-name
+    validate:
+       failureAction: Audit
     match:
       any:
       - resources:

diff --git a/argo-cel/application-field-validation/application-field-validation.yaml b/argo-cel/application-field-validation/application-field-validation.yaml
@@ -15,7 +15,6 @@ metadata:
       Path or chart must be specified but never both. And destination.name or
       destination.server must be specified but never both.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: source-path-chart
@@ -28,6 +27,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: >-
@@ -48,6 +48,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: >-

diff --git a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml
@@ -13,7 +13,6 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents the use of the default project in an Application.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: default-project
@@ -26,6 +25,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: "object.spec.?project.orValue('') != 'default'"

diff --git a/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml
@@ -12,7 +12,6 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents updates to the project field after an Application is created.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: project-updates
@@ -25,6 +24,7 @@ spec:
         - name: "operation-should-be-update"
           expression: "request.operation == 'UPDATE'"
       validate:
+        failureAction: Audit
         cel:  
           expressions:
             - expression: "object.spec.project == oldObject.spec.project"

diff --git a/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml
@@ -14,7 +14,6 @@ metadata:
       This policy ensures that the name of the ApplicationSet is the
       same value provided in the project.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: match-name
@@ -27,6 +26,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: "object.spec.template.spec.project == object.metadata.name"

diff --git a/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
@@ -17,7 +17,6 @@ metadata:
       enforce that all AppProjects specify clusterResourceBlacklist and that their group
       and kind have wildcards as values.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: has-wildcard-and-validate-clusterresourceblacklist
@@ -30,6 +29,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: "has(object.spec.clusterResourceBlacklist)"

diff --git a/argo/application-field-validation/application-field-validation.yaml b/argo/application-field-validation/application-field-validation.yaml
@@ -15,7 +15,6 @@ metadata:
       Path or chart must be specified but never both. And destination.name or
       destination.server must be specified but never both.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: source-path-chart
@@ -25,6 +24,7 @@ spec:
             kinds:
             - Application
       validate:
+        failureAction: Audit
         message: >-
           `spec.source.path` OR `spec.source.chart` should be specified but never both.
         anyPattern:
@@ -43,6 +43,7 @@ spec:
             kinds:
             - Application
       validate:
+        failureAction: Audit
         message: >-
           `spec.destination.server` OR `spec.destination.name` should be specified but never both.
         anyPattern:

diff --git a/argo/application-prevent-default-project/application-prevent-default-project.yaml b/argo/application-prevent-default-project/application-prevent-default-project.yaml
@@ -13,7 +13,6 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents the use of the default project in an Application.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: default-project
@@ -28,6 +27,7 @@ spec:
           operator: NotEquals
           value: DELETE
       validate:
+        failureAction: Audit
         message: "The default project may not be used in an Application."
         pattern:
           spec:

diff --git a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml
@@ -13,7 +13,6 @@ metadata:
     policies.kyverno.io/description: >-
       This policy prevents updates to the project field after an Application is created.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: project-updates
@@ -28,6 +27,7 @@ spec:
           operator: Equals
           value: UPDATE
       validate:
+        failureAction: Audit
         message: "The spec.project cannot be changed once the Application is created."
         deny:
           conditions:

diff --git a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml
@@ -14,7 +14,6 @@ metadata:
       This policy ensures that the name of the ApplicationSet is the
       same value provided in the project.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: match-name
@@ -29,6 +28,7 @@ spec:
           operator: NotEquals
           value: DELETE
       validate:
+        failureAction: Audit
         message: "The name must match the project."
         pattern:
           spec:

diff --git a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
@@ -17,7 +17,6 @@ metadata:
       enforce that all AppProjects specify clusterResourceBlacklist and that their group
       and kind have wildcards as values.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: has-wildcard
@@ -32,6 +31,7 @@ spec:
           operator: AnyIn
           value: ["CREATE", "UPDATE"]
       validate:
+        failureAction: Audit
         message: "Wildcards must be present in group and kind for clusterResourceBlacklist."
         foreach:
         - list: "request.object.spec.clusterResourceBlacklist"
@@ -56,6 +56,7 @@ spec:
           operator: AnyIn
           value: ["CREATE", "UPDATE"]
       validate:
+        failureAction: Audit
         message: "AppProject must specify clusterResourceBlacklist."
         deny:
           conditions:

diff --git a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
@@ -15,7 +15,6 @@ metadata:
       that Services of type LoadBalancer contain the annotation
       service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: aws-loadbalancer-has-ssl-cert
@@ -31,6 +30,7 @@ spec:
       - name: "type-should-be-load-balancer"
         expression: "object.spec.type == 'LoadBalancer'"
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: >-

diff --git a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml
@@ -19,7 +19,6 @@ metadata:
       the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet
       running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-node-daemonset-irsa
@@ -33,6 +32,7 @@ spec:
           namespaces:
           - kube-system
     validate:
+      failureAction: Audit
       message: "Update the aws-node daemonset to use IRSA."
       pattern:
         spec:

diff --git a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
@@ -16,7 +16,6 @@ metadata:
       that Services of type LoadBalancer contain the annotation
       service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: aws-loadbalancer-has-ssl-cert
@@ -26,6 +25,7 @@ spec:
           kinds:
           - Service
     validate:
+      failureAction: Audit
       message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
       pattern:
         metadata:

diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml
@@ -16,7 +16,6 @@ metadata:
       ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25
       so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-v1-25-removals
@@ -35,6 +34,7 @@ spec:
       - name: "allowed-api-versions"
         expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']"
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "false"
@@ -53,6 +53,7 @@ spec:
       - name: "allowed-api-versions"
         expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']"
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "false"
@@ -69,6 +70,7 @@ spec:
       - name: "allowed-api-versions"
         expression: "object.apiVersion in ['storage.k8s.io/v1beta1']"
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "false"
@@ -86,6 +88,7 @@ spec:
       - name: "object.apiVersion"
         expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']"
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "false"

diff --git a/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
@@ -17,7 +17,6 @@ metadata:
       to or replacement of this policy, preventing users from mounting the parent directories
       (/var/run and /var) may be necessary to completely prevent socket bind mounts.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-socket-mounts
@@ -30,6 +29,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Audit
       cel:
         variables:
           - name: hasVolumes

diff --git a/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml
@@ -19,7 +19,6 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-namespace
@@ -32,6 +31,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "namespaceObject.metadata.name != 'default'"
@@ -49,6 +49,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "namespaceObject.metadata.name != 'default'"

diff --git a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
@@ -14,7 +14,6 @@ metadata:
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: Audit
   background: false
   rules:
     - name: disallow-empty-ingress-host
@@ -27,6 +26,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: >-

diff --git a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml
@@ -16,7 +16,6 @@ metadata:
       Tiller for these reasons. This policy validates that there is not an image
       containing the name `tiller`.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: validate-helm-tiller
@@ -29,6 +28,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           expressions:
             - expression: "object.spec.containers.all(container, !container.image.contains('tiller'))"

diff --git a/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml
@@ -15,7 +15,6 @@ metadata:
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: require-and-validate-image-tag
@@ -28,6 +27,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Audit
       cel:
         expressions:
           - expression: "object.spec.containers.all(container, container.image.contains(':'))"

diff --git a/best-practices-cel/require-drop-all/require-drop-all.yaml b/best-practices-cel/require-drop-all/require-drop-all.yaml
@@ -16,7 +16,6 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: require-drop-all
@@ -29,6 +28,7 @@ spec:
             - CREATE
             - UPDATE
       validate:
+        failureAction: Audit
         cel:
           variables:
             - name: allContainers