apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-creator-audit-annotation
  annotations:
    policies.kyverno.io/title: "Аннотация аудита создателя ресурса"
    policies.kyverno.io/category: Governance
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Deployment,StatefulSet
    policies.kyverno.io/description: >-
      При создании Deployment или StatefulSet автоматически добавляет
      аннотации: кто создал, когда, из каких групп.
      Создаёт автоматический audit trail без дополнительных инструментов.
spec:
  rules:
  - name: add-creator-annotation
    match:
      resources:
        kinds:
        - Deployment
        - StatefulSet
    preconditions:
      any:
      - key: "{{ request.operation }}"
        operator: Equals
        value: CREATE
    mutate:
      patchStrategicMerge:
        metadata:
          annotations:
            audit.company.com/created-by: "{{ request.userInfo.username }}"
            audit.company.com/created-at: "{{ time_now_utc() }}"
            audit.company.com/user-groups: >-
              {{ request.userInfo.groups | join(', ', @) }}