apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
  name : policy-deployment
spec :
  rules:
    - name: add-label
      match:
        resources:
          kinds : 
          - Deployment
          selector :
            matchLabels :
              cli: test
      mutate:
        patches:
        - path: /metadata/labels/isMutated
          op: add
          value: "true"
        - path: /metadata/labels/app
          op: replace
          value: "nginx_is_mutated" 
    - name: check-image
      match:
        resources:
          kinds : 
          - Deployment
          selector :
            matchLabels :
              cli: test
      validate:
        message: "The imagePullPolicy must be Always when using image nginx"
        pattern:
          spec:
            template:
              spec:
                containers:
                - (image): "nginx*"
                  imagePullPolicy: Always