apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: enforce-baseline-exclude-se-linux-options
spec:
  validationFailureAction: enforce
  rules:
  - name: enforce-baseline-exclude-se-linux-options
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - privileged-pss-with-kyverno
    validate:
      podSecurity:
         level: baseline
         version: v1.24
         exclude:
          - controlName: "SELinux"
            restrictedField: spec.containers[*].securityContext.seLinuxOptions.role
            images:
              - nginx
            values:
              - baz
          - controlName: "SELinux"
            restrictedField: spec.initContainers[*].securityContext.seLinuxOptions.role
            images:
              - nodejs
            values:
              - init-bazo