Skip to content

Instantly share code, notes, and snippets.

@larstobi

larstobi/kyverno exclude

Last active November 26, 2024 11:54
Show Gist options
  • Save larstobi/6b308a501aa0976cb0e2dd34946783df to your computer and use it in GitHub Desktop.
Save larstobi/6b308a501aa0976cb0e2dd34946783df to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kyverno exclude
config:
webhooks:
# Exclude namespaces
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
# System namespaces
- kyverno
- kube-system
- kube-node-lease
# Rancher namespaces
- cattle-fleet-system
- cattle-impersonation-system
- cattle-system
- fleet-system
# Kind namespaces
- local-path-storage
Raw
kyverno.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disable-webhooks-in-external-secrets
spec:
background: false
rules:
- name: exclude-external-secrets-from-mutating-webhooks
match:
resources:
kinds:
- MutatingWebhookConfiguration
mutate:
foreach:
- list: "request.object.webhooks"
patchesJson6902: |-
- op: add
path: "/webhooks/{{@}}/namespaceSelector"
value:
matchExpressions:
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values:
- "external-secrets"
- name: exclude-external-secrets-from-validating-webhooks
match:
resources:
kinds:
- ValidatingWebhookConfiguration
mutate:
foreach:
- list: "request.object.webhooks"
patchesJson6902: |-
- op: add
path: "/webhooks/{{@}}/namespaceSelector"
value:
matchExpressions:
- key: "kubernetes.io/metadata.name"
operator: "NotIn"
values:
- "external-secrets"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment