apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
  name : policy-deployment
spec :
  rules:
    - name: add-label
      resource:
        kinds : 
        - Deployment
        selector :
          matchLabels :
            cli: test
      mutate:
        patches:
        - path: /metadata/labels/isMutated
          op: add
          value: "true"
        overlay:
          spec:
            template:
              spec:
                containers:
                  # if the image nginx, set the imagePullPolicy to Always
                  - (image): "*nginx*"
                    imagePullPolicy: "Always"
    - name: add-label2
      resource:
        kinds : 
        - Deployment
        selector :
          matchLabels :
            cli: test
      mutate:
        patches:
        - path: /metadata/labels/app1
          op: replace
          value: "nginx_is_mutated" 
    - name: add-label3
      resource:
        kinds : 
        - Deployment
        selector :
          matchLabels :
            cli: test
      mutate:
        patches:
        - path: /metadata/labels/app2
          op: add
          value: "nginx_is_mutated2" 
    - name: check-image
      resource:
        kinds : 
        - Deployment
        selector :
          matchLabels :
            cli: test
      validate:
        message: "The imagePullPolicy must be Always when using image nginx"
        pattern:
          spec:
            template:
              spec:
                containers:
                - (image): "*nginx*"
                  imagePullPolicy: "Always"
    - name: check-registries
      resource:
        kinds:
        - Deployment
        - StatefulSet
      validate:
        message: "Registry is not allowed"
        pattern:
          spec:
            template:
              spec:
                containers:
                - name: "*"
                  # Check allowed registries
                  image: "*nirmata/* | launcher.gcr.io/*"