---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: image-pull-policy
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Deployment
    name: image-pull-policy
    validate:
      message: Image tag ':latest' requires imagePullPolicy 'Always'
      pattern:
        spec:
          template:
            spec:
              containers:
              - (image): '*latest'
                imagePullPolicy: Always
  validationFailureAction: Audit