docs(index.md): clarify variable restrictions in imageReferences

kushal9897 · kushal9897 · commit ad2320cb4ea2 · 2025-02-11T08:28:21.000+05:30
Signed-off-by: kushal9897 &lt;kushalag2580@gmail.com&gt;
diff --git a/content/en/docs/writing-policies/verify-images/_index.md b/content/en/docs/writing-policies/verify-images/_index.md
@@ -53,12 +53,71 @@ For additional details please reference a section below for the solution used to
 ### Variables in `imageReferences`
 The `imageReferences` field does **not** support variable interpolation (e.g., `{{ }}` syntax). Only **static strings** or predefined lists should be used.
 
+ #### ** Incorrect Usage (Using Variables – Not Allowed)**
+ ```yaml
+ verifyImages:
+   - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"]
+ ```
+  This will result in a validation error because variables are **not allowed** in `imageReferences`.
+
+ #### ** Correct Usage (Using Static Values – Allowed)**
+ ```yaml
+ verifyImages:
+   - imageReferences:
+       - "myregistry.com/app-image:v1"
+       - "myregistry.com/app-image:v2"
+ ```
+  Here, only **explicit, static image references** are used, which is allowed.
+
+
+### **Other Fields Where Variables Are Not Allowed**
+ In addition to `imageReferences`, the following fields **do not support variable interpolation** and must be defined with static values:
+
+ - `match.resources.kinds`
+ - `exclude.resources.kinds`
+ - `preconditions.all`
+ - `preconditions.any`
+
+ #### ** Incorrect Usage (Using Variables – Not Allowed)**
+ ```yaml
+ rules:
+   - name: restrict-deployment-kinds
+     match:
+       resources:
+         kinds:
+           - "{{ request.object.kind }}"
+ ```
+  **Why is this incorrect?**  
+ - `match.resources.kinds` must contain **static** resource kinds (e.g., `Pod`, `Deployment`).  
+ - Dynamic interpolation using `{{ request.object.kind }}` is **not supported**.  
+
+ #### ** Correct Usage (Using Static Values – Allowed)**
+ ```yaml
+ rules:
+   - name: restrict-deployment-kinds
+     match:
+       resources:
+         kinds:
+           - Deployment
+           - StatefulSet
+ ```
+ **Why is this correct?**  
+ - Only predefined, static resource kinds (`Deployment`, `StatefulSet`) are used.  
+
+---
+
+### **Why Are Variables Not Allowed in These Fields?**
+ Kyverno requires these fields to be **static** to ensure policy validation and enforcement remain deterministic and efficient. Allowing variables in these fields could introduce unexpected behavior, making policy evaluation unreliable.
+
+---
+
 #### **Incorrect Usage**
 ```yaml
 verifyImages:
   - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"]
 
 
+
 ### Cache
 
 Image verification requires multiple network calls and can be time consuming. Kyverno has a TTL based cache for image verification which caches successful outcomes of image verification. When cache is enabled, an image once verified by a policy will be considered to be verified until TTL duration expires or there is a change in policy.
