refactor: move cilium policies to kyverno

values/kyverno/manifests/kyverno-generate-cilium-network-policies.yaml

@@ -0,0 +1,29 @@
+{{- if and (.Values.kyverno.enabled) (.Values.clusterConfig.cilium.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:generate-cilium-networkpolicies
+rules:
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-cilium-networkpolicies
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:generate-cilium-networkpolicies
+subjects:
+- kind: ServiceAccount
+  name: kyverno
+  namespace: kyverno
+- kind: ServiceAccount
+  name: kyverno-background-controller
+  namespace: kyverno
+{{- end }}

values/kyverno/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
@@ -13,3 +14,4 @@ spec:
               protocol: TCP
   endpointSelector:
     matchLabels: {}
+{{- end }}

values/kyverno/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
@@ -15,3 +16,4 @@ spec:
         - ports:
             - port: "8000"
               protocol: TCP
+{{- end }}

values/kyverno/manifests/policies/CiliumNetworkPolicy-allow-remote-node-to-kyverno.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
@@ -10,3 +11,4 @@ spec:
   ingress:
     - fromEntities:
         - remote-node
+{{- end }}