fix: fix kyvero whitelisting rules to use annotation, not label

2025-06-22 08:21:11 +02:00
parent e884db402e
commit 561c620f98
2 changed files with 8 additions and 11 deletions
@@ -5,7 +5,7 @@ metadata:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    atlantis.oceanbox.io/expose: internal
+    oceanbox.io/expose: internal
  labels:
    app.kubernetes.io/name: dapr-dashboard
  name: dapr-dashboard
@@ -9,7 +9,7 @@ metadata:
    policies.clusterConfig.kyverno.io/severity: medium
    policies.clusterConfig.kyverno.io/subject: Ingress
    policies.clusterConfig.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted.
+      Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted.
      If no whitelist exists, add the default values, otherwise append
      whitelist to the already existing ones
 spec:
@@ -22,9 +22,8 @@ spec:
      resources:
        kinds:
          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
    mutate:
      patchStrategicMerge:
        metadata:
@@ -36,9 +35,8 @@ spec:
      resources:
        kinds:
          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
    preconditions:
      any:
      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
@@ -57,9 +55,8 @@ spec:
      resources:
        kinds:
          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
    preconditions:
      any:
      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"