apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-namespace
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: With many users spread across multiple teams, restricting 
      use of the default namespace and subdividing the cluster by namesoace isolates workloads.
spec:
  rules:
  - name: check-default-namespace
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Using 'default' namespace is restricted"
      pattern:
        metadata:
          namespace: "!default"
  - name: check-namespace-exist
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "A namespace is required"
      pattern:
        metadata:
          namespace: "?*"