diff --git a/clusters/noble/apps/kyverno/policies-values.yaml b/clusters/noble/apps/kyverno/policies-values.yaml
index c2ed8a4..e41bbf5 100644
--- a/clusters/noble/apps/kyverno/policies-values.yaml
+++ b/clusters/noble/apps/kyverno/policies-values.yaml
@@ -4,8 +4,18 @@
 #   --version 3.7.1 -f clusters/noble/apps/kyverno/policies-values.yaml --wait --timeout 10m
 #
 # Default profile is baseline; validationFailureAction is Audit so existing privileged
-# workloads (monitoring, longhorn, etc.) are reported, not blocked. Tighten per policy or
-# namespace when ready (see README).
+# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
+# surfaces those as “policy violations”. Exclude namespaces that intentionally run
+# outside baseline (see namespace PSA labels under clusters/noble/apps/*/namespace.yaml)
+# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
+#
+# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
+#   kubectl delete clusterpolicyreport --all
+#   kubectl delete policyreport -A --all
+# (Reports are recreated on the next background scan.)
+#
+# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
+# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
 #
 policyKind: ClusterPolicy
 policyType: ClusterPolicy
@@ -14,3 +24,39 @@ podSecuritySeverity: medium
 validationFailureAction: Audit
 failurePolicy: Fail
 validationAllowExistingViolations: true
+
+# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/apps).
+x-kyverno-exclude-infra: &kyverno_exclude_infra
+  any:
+    - resources:
+        namespaces:
+          - kube-system
+          - kube-public
+          - kube-node-lease
+          - argocd
+          - cert-manager
+          - external-secrets
+          - headlamp
+          - kyverno
+          - logging
+          - loki
+          - longhorn-system
+          - metallb-system
+          - monitoring
+          - newt
+          - sealed-secrets
+          - traefik
+          - vault
+
+policyExclude:
+  disallow-capabilities: *kyverno_exclude_infra
+  disallow-host-namespaces: *kyverno_exclude_infra
+  disallow-host-path: *kyverno_exclude_infra
+  disallow-host-ports: *kyverno_exclude_infra
+  disallow-host-process: *kyverno_exclude_infra
+  disallow-privileged-containers: *kyverno_exclude_infra
+  disallow-proc-mount: *kyverno_exclude_infra
+  disallow-selinux: *kyverno_exclude_infra
+  restrict-apparmor-profiles: *kyverno_exclude_infra
+  restrict-seccomp: *kyverno_exclude_infra
+  restrict-sysctls: *kyverno_exclude_infra