# kyverno/kyverno-policies — Pod Security Standards as Kyverno ClusterPolicies
#
# helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
#   --version 3.7.1 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
#
# Default profile is baseline; validationFailureAction is Audit so existing privileged
# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
# surfaces those as “policy violations”. Exclude namespaces that intentionally run
# outside baseline (see namespace PSA labels under clusters/noble/bootstrap/*/namespace.yaml)
# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
#
# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
#   kubectl delete clusterpolicyreport --all
#   kubectl delete policyreport -A --all
# (Reports are recreated on the next background scan.)
#
# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
#
policyKind: ClusterPolicy
policyType: ClusterPolicy
podSecurityStandard: baseline
podSecuritySeverity: medium
validationFailureAction: Audit
failurePolicy: Fail
validationAllowExistingViolations: true

# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/bootstrap).
x-kyverno-exclude-infra: &kyverno_exclude_infra
  any:
    - resources:
        namespaces:
          - kube-system
          - kube-public
          - kube-node-lease
          - argocd
          - cert-manager
          - external-secrets
          - headlamp
          - kyverno
          - logging
          - loki
          - longhorn-system
          - metallb-system
          - monitoring
          - newt
          - sealed-secrets
          - traefik
          - vault

policyExclude:
  disallow-capabilities: *kyverno_exclude_infra
  disallow-host-namespaces: *kyverno_exclude_infra
  disallow-host-path: *kyverno_exclude_infra
  disallow-host-ports: *kyverno_exclude_infra
  disallow-host-process: *kyverno_exclude_infra
  disallow-privileged-containers: *kyverno_exclude_infra
  disallow-proc-mount: *kyverno_exclude_infra
  disallow-selinux: *kyverno_exclude_infra
  restrict-apparmor-profiles: *kyverno_exclude_infra
  restrict-seccomp: *kyverno_exclude_infra
  restrict-sysctls: *kyverno_exclude_infra