---
title: "Usage"
description: "Real-world scenarios and user stories for Kyverno MCP"
diataxis: how-to
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/controllers/n4k/kyverno-mcp/usage/
---


## Overview

Kyverno MCP serves two primary use cases that address different stages of the Kubernetes policy management lifecycle. Whether you're proactively assessing cluster security or monitoring existing policy deployments, these scenarios demonstrate how to leverage Kyverno MCP effectively.

## Scenario 1: Proactive Assessment

In this scenario, Kyverno is not installed on your clusters. You can use the Kyverno MCP server to scan cluster resources with recommended or custom policy sets.

### The Challenge

*"As a DevOps engineer, I want to scan my Kubernetes clusters for policy violations and assess their security posture without needing to install Kyverno or deploy policies to the cluster."*

Organizations often need to:
- Evaluate security risks in existing clusters
- Understand policy implications before deployment
- Establish baseline security requirements
- Get guidance on Kyverno installation and configuration

### How Kyverno MCP Helps

#### 1. **Policy Scanning and Assessment**
Test cluster resources against curated policy sets to discover potential security issues:

```text
Apply pod security policies to my development cluster
```text

This command will:
- Scan existing cluster resources against security policies using `kyverno apply`
- Identify resources that would violate the [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- Provide immediate, non-persistent violation reports to stdout
- Work without requiring Kyverno to be installed in the cluster

#### 2. **Multi-Environment Evaluation**
Scan security posture across different environments:

```text
Switch to staging-cluster and scan my cluster for default policies violations
```text

#### 3. **Installation Guidance**
Get contextual guidance for Kyverno deployment:

```text
Show me how to install Kyverno in my cluster
```text

### Benefits
- **Risk-free scanning**: Test policies against existing resources without affecting running workloads
- **No infrastructure changes**: Scan clusters without installing Kyverno or deploying policies
- **Informed decisions**: Understand policy impact before committing to actual deployment
- **Guided implementation**: Get step-by-step installation guidance for full policy enforcement
- **Baseline establishment**: Create security standards across environments

### Example Workflow

1. **Initial Assessment**
   ```
   List my available Kubernetes contexts
   ```

2. **Environment Selection**
   ```
   Switch to development-cluster
   ```

3. **Policy Scanning and Impact Analysis**
   ```
   Scan my cluster for default policies violations
   ```

4. **Implementation Planning**
   ```
   Show me how to install Kyverno and deploy policies for enforcement
   ```

### Moving from Scanning to Enforcement

After using the MCP tool to scan your cluster and understand policy violations, actual policy deployment requires:

1. **Install Kyverno** in your cluster (using [Kyverno Installation](https://kyverno.io/docs/installation/))
2. **Deploy policies** using standard Kubectl apply command ([kubectl apply](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_apply/))
3. **Monitor violations** using the `show_violations` tool to read PolicyReport custom resources ([PolicyReport](https://kyverno.io/docs/policy-reports/))

>NOTE: The MCP tool provides scanning capabilities but does not deploy policies to your cluster. Policy deployment is handled through standard Kubernetes deployment methods.

## Scenario 2: Compliance Monitoring & Violation Analysis

In this scenario, Kyverno is installed on your clusters, along with one or more policy sets. You can use the Kyverno MCP server to manage policy violations.

### The Challenge

*"As a security engineer, I want to monitor compliance across my Kubernetes clusters that already have Kyverno installed and policies deployed, and get current violation reports from PolicyReport resources."*

Security teams need to:
- Monitor ongoing policy compliance
- Quickly identify and prioritize violations
- Generate compliance reports
- View current security posture

### Prerequisites for This Scenario
- Kyverno installed in the cluster
- Policies deployed using `kubectl apply -f <policy.yaml>`
- PolicyReport custom resources being generated by deployed policies

### How Kyverno MCP Helps

#### 1. **Current Violation Monitoring**
Read PolicyReport custom resources to get visibility into active policy violations:

```text
Show me all policy violations in the production namespace
```

This provides:
- **Detailed violation information**: Policy name, affected resource, severity level from PolicyReport CRs
- **Contextual data**: Namespace, timestamps, and descriptive messages
- **Prioritized results**: Violations grouped by severity (high, medium, low)
- **Current state snapshot**: Shows violations as they exist now in the cluster

**Note**: The tool provides current violation snapshots only. It does not:
- Track historical violation trends over time
- Show which policy set (e.g., kubernetes-best-practices) violations belong to
- Provide aggregation by namespace or other dimensions
- Access PolicyReport creation metadata

#### 2. **Filtered Analysis**
Focus on specific areas of concern:

```text
Show me high-severity violations in the production namespace
```

#### 3. **Multi-Cluster Compliance**
Monitor compliance across multiple environments:

```text
Compare policy violations between staging and production clusters
```

### Benefits
- **Immediate visibility**: Real-time access to current violation data
- **Actionable insights**: Detailed information for remediation
- **Current state monitoring**: View existing policy violations
- **Efficient prioritization**: Focus on high-impact violations first

### Example Workflow

1. **Daily Compliance Check**
   ```
   Show me all policy violations in the cluster
   ```

2. **Priority Assessment**
   ```
   Show me all high-severity violations
   ```

3. **Namespace-Specific Analysis**
   ```
   Show policy violations in the production namespace
   ```

4. **Cross-Environment Comparison**
   ```
   Switch to staging-cluster and show me policy violations
   ```

5. **Policy-Specific Violations**
   ```
   Show me violations for the require-resource-limits policy
   ```

### Sample Violation Report

```json
{
  "violations": [
    {
      "policy": "disallow-privileged-containers",
      "resource": "pod/webapp-xyz",
      "namespace": "production",
      "severity": "high",
      "message": "Privileged containers are not allowed",
      "timestamp": "2024-01-15T10:30:00Z"
    },
    {
      "policy": "require-resource-limits",
      "resource": "deployment/backend",
      "namespace": "staging",
      "severity": "medium",
      "message": "Container 'api' does not have resource limits set"
    }
  ],
  "summary": {
    "total": 2,
    "high": 1,
    "medium": 1,
    "low": 0
  }
}
```

## Advanced Scenarios

### Multi-Cluster Security Governance

**Scenario**: Managing security policies across development, staging, and production environments.

```text


### Policy Impact Assessment

**Scenario**: Understanding the impact of new policies before enforcement.

```text

## Best Practices

### 1. **Start with Assessment**
Always begin with a security assessment before applying policies:
```text
Show me existing policy violations in my cluster
```

### 2. **Test Policy Impact**
Test policies to understand their impact on existing resources:
```text
Apply pod security policies to explain their impact
```

### 3. **Context Awareness**
Always verify the current context:
```text

## Integration with Existing Workflows

### DevOps Integration
- **Pre-deployment checks**: Assess security before new deployments
- **Policy validation**: Test policies in development environments
- **Compliance gates**: Integrate with CI/CD pipelines

### Security Operations
- **Daily monitoring**: Regular violation checks
- **Incident response**: Quick identification of security issues
- **Audit preparation**: Generate compliance reports

### Platform Engineering
- **Cluster standardization**: Consistent security policies across environments
- **Developer guidance**: Provide security best practices
- **Policy evolution**: Continuous improvement of security posture

## Next Steps

- Learn about [Available Tools](available-tools.md) for detailed tool documentation
- Explore [Configuration Options](configuration.md) for advanced setup
- Review [Security Best Practices](#best-practices) for production deployment
- Check [Troubleshooting Guide](troubleshooting.md) for common issues