apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-old-object
spec:
  background: false
  rules:
    - name: require-labels
      match:
        all:
        - resources:
            operations:
              - CREATE
              - UPDATE
            kinds:
              - Namespace
      context:
      - name: small
        variable:
          value: small
      - name: medium
        variable:
          value: medium
      - name: large
        variable:
          value: large
      validate:
        validationFailureAction: Enforce
        message: "The label `size` is required"
        assert:
          object:
            metadata:
              labels:
                size:
                  (@ == $small || @ == $medium || @ == $large): true
    - name: check-old-object
      match:
        all:
        - resources:
            operations:
              - UPDATE
            kinds:
              - Namespace
      validate:
        validationFailureAction: Enforce
        message: "request.oldObject cannot be null for update requests"
        assert:
          oldObject: {}