Kyverno annotations

This page is a list of annotations reserved for Kyverno system use.

Policy Classification Annotations

These annotations are used to classify sample policies primarily for use by the Kyverno website and, more specifically, the filtering logic on the policies page.

• policies.kyverno.io/title

  • (Optional) The title of the policy for documentation page rendering. It's a good idea to include this and not rely on the rendering ability.

• policies.kyverno.io/category

  • Category the policy fits in. Unless the policy applies to a community or "external" Kubernetes project, use other.

• policies.kyverno.io/subject

  • The focus of the policy. For example, Pod or Ingress or a CustomResource like ClusterIssuer. The subject is the "thing" on which the policy operates. For multiple, use a comma-separated string like Pod, Deployment.

• policies.kyverno.io/minversion

  • Minimum version of Kyverno where this policy works. Note that this isn't the version of Kyverno where it was developed or tested but the minimum version of Kyverno where it's supported. If unknown, omit.

• policies.kyverno.io/description

  • Description of the policy. Should state two things: 1) Why such a policy is valuable and 2) what this specific policy does.

• kyverno.io/kyverno-version

  • Version(s) of Kyverno against which the policy should work.

• kyverno.io/kubernetes-version

  • Version(s) of Kubernetes against which the policy should work. Value should ideally be a range of versions no more than two prior (ex., 1.19-1.21) and must be enclosed in quotes.

Policy Report Annotations

• policies.kyverno.io/severity
  • Sets the severity in a policy report.

Functional Annotations

These annotations Kyverno uses internally for some logic.

• pod-policies.kyverno.io/autogen-controllers
  • Sets the Kubernetes controllers which should be applied to the rule. See the documentation for details.