apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
  name: "demo-policy.example.com"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["apps"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["deployments"]
  validations:
    - expression: "object.spec.template.spec.containers.all(container, !container.image.contains('latest'))"
      message: "Using a mutable image tag e.g. 'latest' is not allowed."
    - expression: "object.spec.replicas <= 5"
      message: "Replicas must be less than or equal 5"
  matchConditions:
    - name: "deployment name"
      expression: "object.metadata.name == 'nginx-deployment'"