{{- if .Values.clusterConfig.kyverno.enabled }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: whitelist-internal-ingresses annotations: policies.clusterConfig.kyverno.io/title: Concatenate Ingresss policies.clusterConfig.kyverno.io/category: Other policies.clusterConfig.kyverno.io/severity: medium policies.clusterConfig.kyverno.io/subject: Ingress policies.clusterConfig.kyverno.io/description: >- Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted. If no whitelist exists, add the default values, otherwise append whitelist to the already existing ones spec: mutateExistingOnPolicyUpdate: false #precondition: has whitelist annotation or rules: - name: ensure-nginx-whitelist-exists skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal mutate: patchStrategicMerge: metadata: annotations: +(nginx.ingress.kubernetes.io/whitelist-source-range): "" - name: append-existing-whitelist skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal preconditions: any: - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}" operator: NotEquals value: "" mutate: patchStrategicMerge: metadata: annotations: {{- with .Values.clusterConfig.ingress_whitelist }} nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}" {{- end }} - name: add-nginx-whitelist skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal preconditions: any: - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}" operator: Equals value: "" mutate: patchStrategicMerge: metadata: annotations: {{- with .Values.clusterConfig.ingress_whitelist }} nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}" {{- end }} {{- end }}