apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
  name: cpol-fine-grained-match-conditions-disallow-latest-image-tag
spec:
  admission: true
  background: true
  webhookConfiguration:
    matchConditions:
    - name: "select-namespace"
      expression: '(object.metadata.namespace == "cpol-fine-grained-match-conditions-ns")'
    - name: 'exclude-requests-by-groups'
      expression: '!("system:nodes" in request.userInfo.groups)' 
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: require-image-tag
    validate:
      failureAction: Enforce
      message: An image tag is required
      pattern:
        spec:
          containers:
          - image: '*:*'
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-image-tag
    validate:
      failureAction: Enforce
      message: Using a mutable image tag e.g. 'latest' is not allowed
      pattern:
        spec:
          containers:
          - image: '!*:latest'
  failurePolicy: Ignore