apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: auto-label-static
  annotations:
    policies.kyverno.io/title: Auto-label static applications
    policies.kyverno.io/category: Best Practices
spec:
  rules:
    - name: add-security-labels
      match:
        resources:
          kinds:
            - Pod
          selector:
            matchLabels:
              app.kubernetes.io/part-of: "static-site"
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              security.kyverno.io/nonsecure: "true"
              app-type: "static"