{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "allow-{{ $name }}-vcluster-services"
spec:
  background: true
  generateExistingOnPolicyUpdate: true
  rules:
  - name: allow-atlantis-services
    generate:
      apiVersion: cilium.io/v2
      kind: CiliumNetworkPolicy
      name: allow-atlantis-services
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: true
      clone:
        namespace: atlantis
        name: allow-atlantis-services
    match:
      resources:
        kinds:
        - Namespace
        names:
          - "vcluster-009dba7e-*"
        selector:
          matchLabels:
            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'