apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-production-annotations
  annotations:
    policies.kyverno.io/title: "Добавление лейблов по условию"
    policies.kyverno.io/category: Governance
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Deployment,StatefulSet,DaemonSet
    policies.kyverno.io/description: >-
      1. По условию добавляет стандартные лейблы к workload ресурсам
      2. По названию образа добавляет дополнительные переменные
spec:
  rules:
  - name: add-production-annotations
    match:
      resources:
        kinds:
        - Deployment
    preconditions:
      any:
      - key: "{{ request.object.metadata.namespace }}"
        operator: In
        value:
        - production
        - prod
    mutate:
      patchStrategicMerge:
        metadata:
          annotations:
            monitoring.company.com/enabled: "true"
            alerting.company.com/oncall: "team-platform"
  # Более сложный пример с зависимостью по образу
  - name: add-java-opts
    match:
      resources:
        kinds:
        - Pod
    mutate:
      foreach:
      - list: "request.object.spec.containers"
        preconditions:
          any:
          - key: "{{ element.image }}"
            operator: Contains
            value: "openjdk"
          - key: "{{ element.image }}"
            operator: Contains
            value: "eclipse-temurin"
        patchStrategicMerge:
          spec:
            containers:
            - name: "{{ element.name }}"
              env:
              - name: JAVA_OPTS
                value: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0"