apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-ingress-whitelist
spec:
  background: true
  generateExistingOnPolicyUpdate: true
  rules:
  - name: set-whitelist-internal
    mutate:
      patchStrategicMerge:
        metadata:
          annotations:
            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    match:
      resources:
        kinds:
        - Ingress
        annotations:
          atlantis.oceanbox.io/expose: internal
  validationFailureAction: audit