title: Phase 3: Policy Rollout Strategy description: >- Policy rollout strategy for runtime enforcement. Audit-first approach, violation monitoring, phased enforcement, and metrics tracking for safe Kyverno deployment. tags: - rollout - audit - deployment - monitoring - kyverno
Phase 3: Policy Rollout Strategy¶
Deploy policies safely with audit-first approach.
Audit Before Enforce
Always deploy policies in Audit mode first. Monitor violations for 1 week. Fix violations. Then switch to Enforce mode.
Rollout Phases¶
Week 1: Audit Mode¶
Monitor violations:
Week 2: Fix Violations¶
Address all policy violations identified in Week 1:
# Example: Add resource limits to all deployments
kubectl set resources deployment nginx -n production \
--limits=cpu=200m,memory=512Mi \
--requests=cpu=100m,memory=256Mi
Week 3: Enforce Mode¶
Verify enforcement:
Week 4: Monitor and Tune¶
Track policy effectiveness:
# Check policy reports
kubectl get clusterpolicyreport -o wide
# Export metrics for dashboard
kubectl get policyreport -A -o json | \
jq '[.items[] | {namespace: .metadata.namespace, pass: .summary.pass, fail: .summary.fail}]'
Metrics to Track¶
Policy Enforcement:
- Number of pods blocked by resource limit policy
- Number of pods blocked by image source policy
- Number of pods blocked by security context policy
- Policy violation rate by namespace
Compliance Posture:
- Percentage of pods with resource limits
- Percentage of images from approved registries
- Percentage of pods with secure security context
- Policy Reporter pass/fail ratio
Target Metrics
- Resource limits: 100% of pods
- Approved registries: 100% of images
- Secure context: 100% of pods
- Policy violation rate: < 1% after enforcement
Related Patterns¶
- Policy Enforcement - Core runtime policies
- Advanced Policies - Extended controls
- Phase 3 Overview → - Runtime phase summary
Audit mode deployed. Violations fixed. Enforce mode enabled. Metrics tracked. Rollout complete.