[Enhancement] Documentation should specify where variables are not allowed

[abohne]

Description

I've been working on writing a ClusterPolicy that includes a rule with a verifyImages section. I've been trying to source the imageReferences from a context value that contains an array of strings. My policy has failed to validate (without indication why) until I explicitly tried making the value of imageReferences into an array.

At that point, I finally was able to generate the following error

"policy contains invalid variables: rule \"verify-image-signature\" should not have variables in image reference section"

Example rule:

  rules:
    - name: verify-image-signature
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
        - name: allowedregistryprefixes
          configMap:
            name: allowedregistryprefixes
            namespace: kyverno
      verifyImages:
      - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"]

This was extremely frustrating to diagnose, only to run into that error. If variables are not allowed in certain portions of a policy, the documentation (both on the main site and the API documentation for ClusterPolicy and Policy) should indicate that.

Slack discussion

No response

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[kushal9897]

I'd like to take this on! I'll update the documentation to clarify where variables are not allowed and provide examples. Assigning this to myself.