apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: psp-restricted-limited
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
spec:
  background: true
  validationFailureAction: Enforce
  rules:
  - name: restricted
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
    validate:
      podSecurity:
        level: restricted
        version: v1.29
        exclude:
        - controlName: Volume Types
        - controlName: Seccomp
        - controlName: Seccomp
          images:
          - '*'
        - controlName: Capabilities
          images:
          - "*"