apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: image-pull-policy
spec:
  rules:
  - name: image-pull-policy
    match:
      resources:
        kinds:
        - Deployment
    validate:
      message: "Image tag ':latest' requires imagePullPolicy 'Always'"
      pattern:
        spec:
          template:
            spec:
              containers:
              # select images which end with :latest
              - (image): "*latest"
                # require that the imagePullPolicy is "Always"  
                imagePullPolicy: Always