apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
  name: pod-security-exception
  namespace: policy-exception-ns
spec:
  exceptions:
  - policyName: psa
    ruleNames:
    - restricted
  match:
    any:
    - resources:
        namespaces:
        - staging-ns
  podSecurity:
    - controlName: "Privilege Escalation"
      images:
      - nginx
      restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation"
      values:
      - "true"
    - controlName: "Privilege Escalation"
      images:
      - nginx
      restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation"
      values:
      - "true"