Update Image Tag

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: update-image-tag
 5  annotations:
 6    policies.kyverno.io/title: Update Image Tag
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      For use cases like sidecar injection, it is often the case where existing
15      Deployments need the sidecar image updated without destroying the whole Deployment
16      or Pods. This policy updates the image tag on containers named vault-agent for
17      existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true".
18      It may be necessary to grant additional privileges to the Kyverno ServiceAccount,
19      via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.      
20spec:
21  mutateExistingOnPolicyUpdate: true
22  rules:
23  - name: update-image-tag-rule
24    match:
25      any:
26      - resources:
27          kinds:
28          - Deployment
29          annotations:
30            vault.hashicorp.com/agent-inject: "true"
31    mutate:
32      targets:
33        - apiVersion: apps/v1
34          kind: Deployment
35          name: "{{ request.object.metadata.name }}"
36      patchStrategicMerge:
37        spec:
38          template:
39            spec:
40              containers:
41              - (name): vault-agent
42                image: vault:1.5.4