depl checker

cluster-resources/policies/deployment-verifier.yaml

@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-deployment-owner
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+  - name: check-pod-owner-is-replicaset-from-deployment
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - cert-manager
+          - monitoring
+          - argocd
+    context:
+    - name: ownerReplicaSet
+      apiCall:
+        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
+        jmesPath: "@"
+    preconditions:
+      any:
+      - key: "{{request.object.metadata.ownerReferences[0].kind}}"
+        operator: Equals
+        value: ReplicaSet
+    validate:
+      message: "Pods must be created through a Deployment resource."
+      deny:
+        conditions:
+          any:
+          - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
+            operator: NotEquals
+            value: Deployment