apiVersion: v1
kind: Namespace
metadata:
  name: test-validate
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
spec:
  validationFailureAction: Enforce
  rules:
    - name: test-rule
      match:
        any:
          - resources:
              kinds:
                - "acid.zalan.do/v1/postgresql"
      validate:
        message: "The label app=foo is required"
        pattern:
          metadata:
            labels:
              app: foo