theadam revised this gist . Go to revision
1 file changed, 52 insertions
kyverno-sync-secret-to-specific-nss(file created)
| @@ -0,0 +1,52 @@ | |||
| 1 | + | --- | |
| 2 | + | apiVersion: rbac.authorization.k8s.io/v1 | |
| 3 | + | kind: ClusterRole | |
| 4 | + | metadata: | |
| 5 | + | name: kyverno-secret-clone | |
| 6 | + | rules: | |
| 7 | + | - apiGroups: [""] | |
| 8 | + | resources: ["secrets"] | |
| 9 | + | verbs: ["get", "list", "create", "update", "delete"] | |
| 10 | + | --- | |
| 11 | + | apiVersion: rbac.authorization.k8s.io/v1 | |
| 12 | + | kind: ClusterRoleBinding | |
| 13 | + | metadata: | |
| 14 | + | name: kyverno-secret-clone-binding | |
| 15 | + | subjects: | |
| 16 | + | - kind: ServiceAccount | |
| 17 | + | name: kyverno-admission-controller | |
| 18 | + | namespace: kyverno | |
| 19 | + | - kind: ServiceAccount | |
| 20 | + | name: kyverno-background-controller | |
| 21 | + | namespace: kyverno | |
| 22 | + | roleRef: | |
| 23 | + | kind: ClusterRole | |
| 24 | + | name: kyverno-secret-clone | |
| 25 | + | apiGroup: rbac.authorization.k8s.io | |
| 26 | + | --- | |
| 27 | + | apiVersion: kyverno.io/v1 | |
| 28 | + | kind: ClusterPolicy | |
| 29 | + | metadata: | |
| 30 | + | name: sync-rbx1theadam-tls-secret | |
| 31 | + | spec: | |
| 32 | + | background: true | |
| 33 | + | rules: | |
| 34 | + | - name: sync-rbx1theadam-tls | |
| 35 | + | match: | |
| 36 | + | any: | |
| 37 | + | - resources: | |
| 38 | + | kinds: | |
| 39 | + | - Namespace | |
| 40 | + | names: | |
| 41 | + | - ingress-nginx | |
| 42 | + | - openbao | |
| 43 | + | - nvdaremoteserver | |
| 44 | + | generate: | |
| 45 | + | apiVersion: v1 | |
| 46 | + | kind: Secret | |
| 47 | + | name: rbx1theadam-tls | |
| 48 | + | namespace: "{{request.object.metadata.name}}" | |
| 49 | + | synchronize: true | |
| 50 | + | clone: | |
| 51 | + | namespace: cert-manager | |
| 52 | + | name: rbx1theadam-tls | |
Newer
Older