--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: select-secrets spec: admission: true background: false rules: - context: - apiCall: jmesPath: metadata.labels.foo method: GET urlPath: /api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}} name: volsecret match: any: - resources: kinds: - Pod name: select-secrets-from-volumes preconditions: all: - key: '{{ request.operation }}' operator: Equals value: CREATE validate: message: The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used. pattern: spec: containers: - image: registry.domain.com/* validationFailureAction: Enforce