Restricted Pod Security Standards with Container-Level Control Exemption

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: podsecurity-subrule-restricted-capabilities
  annotations:
    policies.kyverno.io/title: Restricted Pod Security Standards with Container-Level Control Exemption
    policies.kyverno.io/category: Pod Security
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/minversion: 1.8.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common configurations that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile may be assigned to the cluster through a single rule. In some cases, specific exemptions must be made on a per-control basis. This policy configures the restricted profile through the latest version of the Pod Security Standards cluster wide while exempting `nginx` and `redis` container images from the Capabilities control check.
spec:
  background: true
  validationFailureAction: Enforce
  rules:
    - name: restricted-exempt-capabilities
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        podSecurity:
          level: restricted
          version: latest
          exclude:
            - controlName: Capabilities
              images:
                - ghcr.io/kyverno/test-nginx*
                - redis*