[BUG] Can we patch Kyverno policies using Kustomize? #2408
Description
Kyverno v1.4.2
I want to be able to patch Kyverno policies using Kustomize.
The idea is to have the policies in a separate repo and to be able to use the policies in separate environments by applying different exclusions, matches etc.
So, to test this, I have 3 files in a folder.
-
The policy disallow-host-namespaces.yaml
https://github.com/kyverno/policies/blob/73b7140849a033b3d772ec644f86d07a62876ac8/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml -
The patch patch.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
spec:
rules:
- name: host-namespaces
exclude:
resources:
namespaces:
- flux-system
- linkerd
- network
- observability
- security
- cron
- kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./disallow-host-namespaces.yaml
patchesStrategicMerge:
- ./patch.yaml
The following is the output from kustomize build:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/description: Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`.
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
name: disallow-host-namespaces
spec:
background: true
rules:
- exclude:
resources:
namespaces:
- flux-system
- linkerd
- network
- observability
- security
- cron
name: host-namespaces
validationFailureAction: audit
I expected it to output the entire policy with the exclude namespaces merged.
Am I missing something here?