{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.fullname" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    kyverno.io/kyverno-version: 1.7.0
    policies.kyverno.io/description:  Allow egress to vcluster kube-apiserver
    policies.kyverno.io/minversion: 1.7.0
    policies.kyverno.io/subject: Namespace, NetworkPolicy
    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
  name: generate-vcluster-apiserver-networkpolicy
  namespace: {{ .Release.Namespace }}
spec:
  background: true
  generateExistingOnPolicyUpdate: true
  validationFailureAction: audit
  rules:
  - name: generate-vcluster-apiserver-networkpolicy
    generate:
      apiVersion: cilium.io/v2
      kind: CiliumNetworkPolicy
      name: allow-vcluster-apiserver-access
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: true
      data:
        metadata:
          labels:
            created-by: kyverno
        spec:
          description: Allow egress to vcluster kube-apiserver
          egress:
          - toEndpoints:
            - matchLabels:
               app: vcluster
            toPorts:
            - ports:
              - port: "443"
                protocol: TCP
          endpointSelector: {}
    match:
      any:
      - resources:
          kinds:
          - Namespace
          names:
          - {{ $fullname }}
      - resources:
          kinds:
          - Namespace
          selector:
            matchLabels:
              vcluster.loft.sh/vcluster-name: {{ $fullname }}