any (logical OR) and all (logical AND). These filters let you target resources (for example, Pods) using flexible or strict matching logic and enforce validation rules such as required labels.
What you’ll do:
- Create a ClusterPolicy that uses
match.any(logical OR). - Test the policy by creating Pods that match one or both conditions.
- Update the policy to use
match.all(logical AND) and re-run tests to observe the difference.
The
any filter behaves like a logical OR: the rule applies if at least one condition matches. The all filter behaves like a logical AND: the rule applies only if every condition matches.These policies use
validationFailureAction: enforce, which means matching requests will be blocked by the admission webhook if validation fails. Apply policies cautiously in production clusters.Step 1 — Policy using any (logical OR)
Create a policy file named check-label.yaml with the following content. This ClusterPolicy enforces that when a Pod matches either selector (type: database OR purpose: testing), it must have an app label — otherwise the creation is rejected.
match.any):
- Pod with
type=databasebut noapplabel — should be blocked because it satisfies the firstanycondition.
- Pod with
purpose=testingbut noapplabel — should be blocked because it satisfies the secondanycondition.
match.any: matching either selector triggers validation.
Step 2 — Switch to all (logical AND)
To require both selectors be present before enforcing the label, replace the match.any block with match.all. The effect: the rule applies only when the Pod matches both type: database and purpose: testing.
Updated check-label.yaml (key change: all instead of any):
match.all:
- Pod with only
type=database(nopurpose) — policy should NOT apply, Pod created successfully.
- Pod with both
type=databaseandpurpose=testingbut missingapp— policy applies, creation blocked.
- Pod with
type=database,purpose=testing, andapp=testing— all matching conditions satisfied and validation passes; Pod created.
Quick comparison
Summary
match.any(OR): The rule applies if at least one listed resource filter matches the resource. Use this to enforce rules across multiple possible resource selector conditions.match.all(AND): The rule applies only when every listed resource filter matches the resource. Use this to target a narrow subset of resources that must satisfy every criterion.
- Kyverno documentation — ClusterPolicy and match conditions: https://kyverno.io/docs/
- Kubernetes admission controllers: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
any when you want to validate resources that meet any of multiple criteria. Use all when validation should only apply to resources that satisfy every listed condition.