From 41841abc846d6e519e55b6a40d3c9a0787a7bade Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Sat, 28 Mar 2026 16:56:13 -0400
Subject: [PATCH] Update Kyverno policies-values.yaml to enhance namespace
 exclusions for policy enforcement. Add detailed comments on the exclusion
 strategy and provide instructions for refreshing PolicyReports. This change
 aims to improve clarity and management of policy violations across various
 namespaces.

---
 .../noble/apps/kyverno/policies-values.yaml   | 50 ++++++++++++++++++-
 1 file changed, 48 insertions(+), 2 deletions(-)

diff --git a/clusters/noble/apps/kyverno/policies-values.yaml b/clusters/noble/apps/kyverno/policies-values.yaml
index c2ed8a4..e41bbf5 100644
--- a/clusters/noble/apps/kyverno/policies-values.yaml
+++ b/clusters/noble/apps/kyverno/policies-values.yaml
@@ -4,8 +4,18 @@
 #   --version 3.7.1 -f clusters/noble/apps/kyverno/policies-values.yaml --wait --timeout 10m
 #
 # Default profile is baseline; validationFailureAction is Audit so existing privileged
-# workloads (monitoring, longhorn, etc.) are reported, not blocked. Tighten per policy or
-# namespace when ready (see README).
+# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
+# surfaces those as “policy violations”. Exclude namespaces that intentionally run
+# outside baseline (see namespace PSA labels under clusters/noble/apps/*/namespace.yaml)
+# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
+#
+# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
+#   kubectl delete clusterpolicyreport --all
+#   kubectl delete policyreport -A --all
+# (Reports are recreated on the next background scan.)
+#
+# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
+# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
 #
 policyKind: ClusterPolicy
 policyType: ClusterPolicy
@@ -14,3 +24,39 @@ podSecuritySeverity: medium
 validationFailureAction: Audit
 failurePolicy: Fail
 validationAllowExistingViolations: true
+
+# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/apps).
+x-kyverno-exclude-infra: &kyverno_exclude_infra
+  any:
+    - resources:
+        namespaces:
+          - kube-system
+          - kube-public
+          - kube-node-lease
+          - argocd
+          - cert-manager
+          - external-secrets
+          - headlamp
+          - kyverno
+          - logging
+          - loki
+          - longhorn-system
+          - metallb-system
+          - monitoring
+          - newt
+          - sealed-secrets
+          - traefik
+          - vault
+
+policyExclude:
+  disallow-capabilities: *kyverno_exclude_infra
+  disallow-host-namespaces: *kyverno_exclude_infra
+  disallow-host-path: *kyverno_exclude_infra
+  disallow-host-ports: *kyverno_exclude_infra
+  disallow-host-process: *kyverno_exclude_infra
+  disallow-privileged-containers: *kyverno_exclude_infra
+  disallow-proc-mount: *kyverno_exclude_infra
+  disallow-selinux: *kyverno_exclude_infra
+  restrict-apparmor-profiles: *kyverno_exclude_infra
+  restrict-seccomp: *kyverno_exclude_infra
+  restrict-sysctls: *kyverno_exclude_infra