Kyverno

Policy Structure

apiVersion: kyverno.io/v1
kind: ClusterPolicy  # or Policy (namespaced)
metadata:
  name: policy-name
spec:
  validationFailureAction: Enforce  # Enforce (block) or Audit (warn)
  background: true                   # Scan existing resources
  rules:
    - name: rule-name
      match:
        any:                         # OR logic
          - resources:
              kinds: [Pod]
              namespaces: [prod-*]   # Glob patterns supported