apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: validate-labels
spec:
  validationFailureAction: audit
  background: true
  rules:
  - name: ns-vars
    match:
      any:
      - resources:
          kinds:
            - Pod
    validate:
      message: The `owner` label is required for all Namespaces.
      pattern:
        metadata:
          labels:
            baz: "{{serviceAccountName}}"