kyverno: Introduce system namespace label

c94c1fbf · Sheogorath · 1ac433f3 · c94c1fbf · c94c1fbf · c94c1fbf
Verified Commit c94c1fbf authored 3 years ago by Sheogorath
--- a/bootstrap/kyverno/namespace.yaml
+++ b/bootstrap/kyverno/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: kyverno
  labels:
    name: kyverno
+    kyverno.shivering-isles.com/class: "system"
--- a/infrastructure/cert-manager/namespace.yaml
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: cert-manager
  labels:
    name: cert-manager
+    kyverno.shivering-isles.com/class: "system"
--- a/infrastructure/ingress-nginx/namespace.yaml
+++ b/infrastructure/ingress-nginx/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: nginx-system
  labels:
    name: nginx-system
+    kyverno.shivering-isles.com/class: "system" 
--- a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
+++ b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
@@ -9,21 +9,24 @@ spec:
      resources:
        kinds:
        - Namespace
+      selector:
+        matchExpressions:
+          - {key: kyverno.shivering-isles.com/class operator: NotIn, values: [system]}
    exclude:
      resources:
        namespaces:
        - '*-system'
        - default
        - kube-public
-        - kyverno
+        - tigera-operator
    generate:
-      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
-      metadata:
-        name: allow-from-same-namespace-managed
-        namespace: "{{request.object.metadata.name}}"
-      spec:
-        podSelector: {}
-        ingress:
-        - from:
-          - podSelector: {}
+      name: allow-from-same-namespace-managed
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        apiVersion: networking.k8s.io/v1
+        spec:
+          podSelector: {}
+          ingress:
+          - from:
+            - podSelector: {}
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: zalando-postgres
  labels:
    name: zalando-postgres
+    kyverno.shivering-isles.com/class: "system"
--- a/infrastructure/prometheus/namespace.yaml
+++ b/infrastructure/prometheus/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: monitoring
  labels:
    name: monitoring
+    kyverno.shivering-isles.com/class: "system"
--- a/infrastructure/rook/namespace.yaml
+++ b/infrastructure/rook/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
  name: rook-ceph
  labels:
    name: rook-ceph
+    kyverno.shivering-isles.com/class: "system"