From 79f48af2b55406bfeae1738e2c102ca1a2c251fc Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Wed, 18 Feb 2026 12:06:11 +0100
Subject: [PATCH] depl checker

---
 .../policies/deployment-verifier.yaml         | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 cluster-resources/policies/deployment-verifier.yaml

diff --git a/cluster-resources/policies/deployment-verifier.yaml b/cluster-resources/policies/deployment-verifier.yaml
new file mode 100644
index 0000000..78541af
--- /dev/null
+++ b/cluster-resources/policies/deployment-verifier.yaml
@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-deployment-owner
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+  - name: check-pod-owner-is-replicaset-from-deployment
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - cert-manager
+          - monitoring
+          - argocd
+    context:
+    - name: ownerReplicaSet
+      apiCall:
+        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
+        jmesPath: "@"
+    preconditions:
+      any:
+      - key: "{{request.object.metadata.ownerReferences[0].kind}}"
+        operator: Equals
+        value: ReplicaSet
+    validate:
+      message: "Pods must be created through a Deployment resource."
+      deny:
+        conditions:
+          any:
+          - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
+            operator: NotEquals
+            value: Deployment