apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
  name: policy-network-policy
spec:
  rules:
    - name: np1
      match:
        resources:
          kinds :
          - NetworkPolicy
          selector:
            matchLabels:
              originalLabel: isHere
      mutate:
        patches:
        - path: "/metadata/labels/isMutated"
          op: add
          value: "true"
        - path : "/spec/ingress/0/from/0/ipBlock/cidr"
          op : replace
          value: "172.17.128.0/17"
      validate:
        message: "This network policy does not meet security criteria"
        pattern:
          spec:
            ingress:
            - from:
              - ipBlock:
                  except:
                  - 172.17.129.0/24