kyverno/samples/misc/latestimage-notalways.yaml

apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: latestimage-notalways
spec:
  validationFailureAction: audit
  background: false
  rules:
  - name: latestimage-notalways
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."  
      pattern:
        spec:
          containers:
          - (image): "*:latest"
            imagePullPolicy: "!Always"