A pod is running in a namespace that has a Kyverno policy requiring all images to come from a trusted registry. The pod is using an image from an untrusted registry. What will happen when the pod is created?
Kyverno acts as an admission webhook and denies the request if the policy is violated.
Why this answer
Kyverno policies are enforced as admission webhooks. If the policy denies the pod, the creation is rejected. The pod will not be created, and an error message is returned to the user.