[Question] How to match PATCH requests?

Hi,

I'm looking to create a validate policy to allow users to use kubectl rollout restart. Rollout restart creates a PATCH request that sets the annotation kubectl.kubernetes.io/restartedAt on the resources.

I tried with a match on UPDATE operations but it doesn't seem to catch PATCH requests.

Do you have any idea if it is possible to create such policy?

Thanks