apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psa-2
spec:
  background: true
  validationFailureAction: Enforce
  rules:
  - name: baseline
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      podSecurity:
        level: baseline
        version: latest
        exclude:
        - controlName: "/proc Mount Type"
          images:
          - nginx
          values:
          - "bar"