apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
  name: pod-security-context
spec:
  rules:
  - name: set-userID
    resource:
      kinds:
      - Deployment
      selector :
        matchLabels:
          app.type: prod
    validate:
      message: "secure pod"
      pattern:
        spec:
          template:
            spec:
              hostNetwork: false
              hostIPC: false
              hostPID: false
              securityContext:
                runAsNonRoot: true