Policies and Rules
A Kyverno policy is a collection of rules. Each rule consists of a
match clause, an optional
exclude clause, and one of a
generate clause. A rule definition can contain only a single
generate child node.
Policies can be defined as cluster-wide resources (using the kind
ClusterPolicy) or namespaced resources (using the kind
Policy.) As expected, namespaced policies will only apply to resources within the namespace in which they are defined while cluster-wide policies are applied to matching resources across all namespaces. Otherwise, there is no difference between the two types.