kyverno-sync-secret-to-specific-nss
· 1.2 KiB · Text
Raw
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno-secret-clone
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno-secret-clone-binding
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: kyverno
- kind: ServiceAccount
name: kyverno-background-controller
namespace: kyverno
roleRef:
kind: ClusterRole
name: kyverno-secret-clone
apiGroup: rbac.authorization.k8s.io
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-rbx1theadam-tls-secret
spec:
background: true
rules:
- name: sync-rbx1theadam-tls
match:
any:
- resources:
kinds:
- Namespace
names:
- ingress-nginx
- openbao
- nvdaremoteserver
generate:
apiVersion: v1
kind: Secret
name: rbx1theadam-tls
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: cert-manager
name: rbx1theadam-tls
| 1 | --- |
| 2 | apiVersion: rbac.authorization.k8s.io/v1 |
| 3 | kind: ClusterRole |
| 4 | metadata: |
| 5 | name: kyverno-secret-clone |
| 6 | rules: |
| 7 | - apiGroups: [""] |
| 8 | resources: ["secrets"] |
| 9 | verbs: ["get", "list", "create", "update", "delete"] |
| 10 | --- |
| 11 | apiVersion: rbac.authorization.k8s.io/v1 |
| 12 | kind: ClusterRoleBinding |
| 13 | metadata: |
| 14 | name: kyverno-secret-clone-binding |
| 15 | subjects: |
| 16 | - kind: ServiceAccount |
| 17 | name: kyverno-admission-controller |
| 18 | namespace: kyverno |
| 19 | - kind: ServiceAccount |
| 20 | name: kyverno-background-controller |
| 21 | namespace: kyverno |
| 22 | roleRef: |
| 23 | kind: ClusterRole |
| 24 | name: kyverno-secret-clone |
| 25 | apiGroup: rbac.authorization.k8s.io |
| 26 | --- |
| 27 | apiVersion: kyverno.io/v1 |
| 28 | kind: ClusterPolicy |
| 29 | metadata: |
| 30 | name: sync-rbx1theadam-tls-secret |
| 31 | spec: |
| 32 | background: true |
| 33 | rules: |
| 34 | - name: sync-rbx1theadam-tls |
| 35 | match: |
| 36 | any: |
| 37 | - resources: |
| 38 | kinds: |
| 39 | - Namespace |
| 40 | names: |
| 41 | - ingress-nginx |
| 42 | - openbao |
| 43 | - nvdaremoteserver |
| 44 | generate: |
| 45 | apiVersion: v1 |
| 46 | kind: Secret |
| 47 | name: rbx1theadam-tls |
| 48 | namespace: "{{request.object.metadata.name}}" |
| 49 | synchronize: true |
| 50 | clone: |
| 51 | namespace: cert-manager |
| 52 | name: rbx1theadam-tls |