apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: default
spec:
  rules:
  - name: allow-from-zalando-postgres
    match:
      resources:
        kinds:
        - Namespace
    exclude:
      resources:
        namespaces:
        - *-system
        - default
        - kube-public
        - kyverno
    generate:
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: allow-from-zalando-postgres-managed
        namespace: "{{request.object.metadata.name}}"
      spec:
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                name: zalando-postgres
          ports:
          - port: 8008
            protocol: TCP
          - port: 5432
            protocol: TCP
          - port: 8080
            protocol: TCP
        podSelector:
          matchLabels:
            application: spilo
        policyTypes:
        - Ingress