---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: Labels are used as an important source of metadata
      describing objects in various ways or triggering other functionality. Labels
      are also a very basic concept and should be used throughout Kubernetes. This
      policy performs a simple mutation which adds a label `color=orange` to Pods,
      Services, ConfigMaps, and Secrets.
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Add nodeSelector
  name: add-label
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            color: orange
    name: add-label
  - match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            something: something
    name: impossible-rule
    preconditions:
      all:
      - key: not-the-name
        operator: AllIn
        value: '{{ request.object.metadata.labels | keys(@) }}'
---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
  annotations:
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: The ndots value controls where DNS lookups are
      first performed in a cluster and needs to be set to a lower value than the default
      of 5 in some cases. This policy mutates all Pods to add the ndots option with
      a value of 1.
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/title: Add ndots
  name: add-ndots
  namespace: testing
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        spec:
          dnsConfig:
            options:
            - name: ndots
              value: "1"
    name: add-ndots
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: example
spec:
  admission: true
  background: true
  rules:
  - context:
    - name: annotations
      variable:
        jmesPath: items(request.object.metadata.annotations, 'key', 'value')[?starts_with(key,
          'key')]
    - name: annotations
      variable:
        jmesPath: object_from_lists(annotations[].key, annotations[].value)
    match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchesJson6902: |-
        - path: "/metadata/annotations"
          op: replace
          value: {{ annotations }}
    name: object_from_lists