From a962fd6450e099cba6d2a2bfd1d7808233da5ecf Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Wed, 18 Feb 2026 13:13:52 +0100
Subject: [PATCH] rule

---
 .../policies/deployment-verifier.yaml         | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/cluster-resources/policies/deployment-verifier.yaml b/cluster-resources/policies/deployment-verifier.yaml
index 55cd8eb..a719f1a 100644
--- a/cluster-resources/policies/deployment-verifier.yaml
+++ b/cluster-resources/policies/deployment-verifier.yaml
@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-deployment-owner
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: Audit
   background: false
   rules:
   - name: check-pod-owner-is-replicaset-from-deployment
@@ -41,3 +41,28 @@ spec:
           - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
             operator: NotEquals
             value: Deployment
+  - name: deny-pods-without-replicaset-owner
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - cert-manager
+          - monitoring
+          - argocd
+          - traefik-system
+    skipBackgroundRequests: true
+    validate:
+      message: "Direct pod creation is not allowed. Pods must come from a Deployment managed by ArgoCD."
+      deny:
+        conditions:
+          all:
+          - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
+            operator: LessThan
+            value: 1