apiVersion: kyverno.io/v2alpha1
kind: ValidatingPolicy
metadata:
  name: check-deployment-labels
spec:
  validationActions:
    - Deny
  matchConstraints:
    resourceRules:
    - apiGroups:   [apps]
      apiVersions: [v1]
      operations:  [CREATE, UPDATE]
      resources:   [deployments]
  variables:
    - name: environment
      expression: >-
        has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'
  validations:
    - expression: >-
        variables.environment == true
      message: >-
        Deployment labels must be env=prod