From c94c1fbfdddfb1578b2812a91f921be1c0d74fd1 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 10 Oct 2021 02:03:17 +0200
Subject: [PATCH] kyverno: Introduce system namespace label
---
bootstrap/kyverno/namespace.yaml | 1 +
infrastructure/cert-manager/namespace.yaml | 1 +
infrastructure/ingress-nginx/namespace.yaml | 1 +
...-from-same-namespace-network-policies.yaml | 23 +++++++++++--------
infrastructure/postgres/namespace.yaml | 1 +
infrastructure/prometheus/namespace.yaml | 1 +
infrastructure/rook/namespace.yaml | 1 +
7 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/bootstrap/kyverno/namespace.yaml b/bootstrap/kyverno/namespace.yaml
index e5d0650e5..3c428410e 100644
--- a/bootstrap/kyverno/namespace.yaml
+++ b/bootstrap/kyverno/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: kyverno
labels:
name: kyverno
+ kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
index 237888c1c..4555234ea 100644
--- a/infrastructure/cert-manager/namespace.yaml
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: cert-manager
labels:
name: cert-manager
+ kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/ingress-nginx/namespace.yaml b/infrastructure/ingress-nginx/namespace.yaml
index f2e980136..f098abde2 100644
--- a/infrastructure/ingress-nginx/namespace.yaml
+++ b/infrastructure/ingress-nginx/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: nginx-system
labels:
name: nginx-system
+ kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
index 07d3936a8..2e52f8920 100644
--- a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
+++ b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
@@ -9,21 +9,24 @@ spec:
resources:
kinds:
- Namespace
+ selector:
+ matchExpressions:
+ - {key: kyverno.shivering-isles.com/class operator: NotIn, values: [system]}
exclude:
resources:
namespaces:
- '*-system'
- default
- kube-public
- - kyverno
+ - tigera-operator
generate:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
- metadata:
- name: allow-from-same-namespace-managed
- namespace: "{{request.object.metadata.name}}"
- spec:
- podSelector: {}
- ingress:
- - from:
- - podSelector: {}
+ name: allow-from-same-namespace-managed
+ namespace: "{{request.object.metadata.name}}"
+ data:
+ apiVersion: networking.k8s.io/v1
+ spec:
+ podSelector: {}
+ ingress:
+ - from:
+ - podSelector: {}
diff --git a/infrastructure/postgres/namespace.yaml b/infrastructure/postgres/namespace.yaml
index 87ce1a9e8..10d72f25e 100644
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: zalando-postgres
labels:
name: zalando-postgres
+ kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/prometheus/namespace.yaml b/infrastructure/prometheus/namespace.yaml
index 90d12efda..14d23d817 100644
--- a/infrastructure/prometheus/namespace.yaml
+++ b/infrastructure/prometheus/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: monitoring
labels:
name: monitoring
+ kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/rook/namespace.yaml b/infrastructure/rook/namespace.yaml
index f046b87cd..c4ddccc6b 100644
--- a/infrastructure/rook/namespace.yaml
+++ b/infrastructure/rook/namespace.yaml
@@ -4,3 +4,4 @@ metadata:
name: rook-ceph
labels:
name: rook-ceph
+ kyverno.shivering-isles.com/class: "system"
--
GitLab