apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-deployment-owner
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: check-pod-owner-is-replicaset-from-deployment
    skipBackgroundRequests: true
    match:
      any:
      - resources:
          kinds:
          - Pod
    exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - kyverno
          - cert-manager
          - monitoring
          - argocd
    context:
    - name: ownerReplicaSet
      apiCall:
        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets/{{request.object.metadata.ownerReferences[0].name}}"
        jmesPath: "@"
    preconditions:
      all:
      - key: "{{ request.object.metadata.ownerReferences || `[]` | [?kind=='ReplicaSet'] | length(@) }}"
        operator: GreaterThanOrEquals
        value: 1
    validate:
      message: "Pods must be created through a Deployment resource."
      deny:
        conditions:
          any:
          - key: "{{ownerReplicaSet.metadata.ownerReferences[0].kind}}"
            operator: NotEquals
            value: Deployment