---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: select-secrets
spec:
  admission: true
  background: false
  rules:
  - context:
    - apiCall:
        jmesPath: metadata.labels.foo
        method: GET
        urlPath: /api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}
      name: volsecret
    match:
      any:
      - resources:
          kinds:
          - Pod
    name: select-secrets-from-volumes
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: Equals
        value: CREATE
    validate:
      message: The Secret named {{request.object.spec.volumes[0].secret.secretName}}
        is restricted and may not be used.
      pattern:
        spec:
          containers:
          - image: registry.domain.com/*
  validationFailureAction: Enforce