fix: fix kyvero whitelisting rules to use annotation, not label

values/dapr/manifests/ingress-dashboard.yaml

@@ -5,7 +5,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    atlantis.oceanbox.io/expose: internal
+    oceanbox.io/expose: internal
   labels:
     app.kubernetes.io/name: dapr-dashboard
   name: dapr-dashboard

values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml

@@ -9,7 +9,7 @@ metadata:
     policies.clusterConfig.kyverno.io/severity: medium
     policies.clusterConfig.kyverno.io/subject: Ingress
     policies.clusterConfig.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted.
+      Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted.
       If no whitelist exists, add the default values, otherwise append
       whitelist to the already existing ones
 spec:
@@ -22,9 +22,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
+        annotations:
-          matchLabels:
+          oceanbox.io/expose: internal
-            internal: "true"
     mutate:
       patchStrategicMerge:
         metadata:
@@ -36,9 +35,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
+        annotations:
-          matchLabels:
+          oceanbox.io/expose: internal
-            internal: "true"
     preconditions:
       any:
       - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
@@ -57,9 +55,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
+        annotations:
-          matchLabels:
+          oceanbox.io/expose: internal
-            internal: "true"
     preconditions:
       any:
       - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"