diff --git a/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml b/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml
new file mode 100644
index 00000000..26a3514a
--- /dev/null
+++ b/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+