apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: select-secrets
spec:
  background: false
  validationFailureAction: enforce
  rules:
  - name: select-secrets-from-volumes
    match:
      resources:
        kinds:
        - Pod
    context:
    - name: volsecret
      apiCall:
        urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}"
        jmesPath: "metadata.labels.foo"
    preconditions:
    - key: "{{ request.operation }}"
      operator: Equals
      value: "CREATE"
    validate:
      message: "The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used."
      pattern:
        spec:
          containers:
          - image: "registry.domain.com/*"