From 138561de14b2ca13e608aa97b041e88d3a8801fc Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 8 Nov 2023 01:57:35 +0800
Subject: [PATCH] fix(kyverno): rm hostNetwork & excludeClusterRoles - also
 added more webhook objectSelector exclusions

---
 kube/deploy/core/kyverno/app/hr.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/kube/deploy/core/kyverno/app/hr.yaml b/kube/deploy/core/kyverno/app/hr.yaml
index 92998575..2af6d15b 100644
--- a/kube/deploy/core/kyverno/app/hr.yaml
+++ b/kube/deploy/core/kyverno/app/hr.yaml
@@ -22,19 +22,24 @@ spec:
       ingress.home.arpa/host: "allow"
       ingress.home.arpa/apiserver: "allow"
       egress.home.arpa/apiserver: "allow"
+      egress.home.arpa/host: "allow"
     config:
-      excludeClusterRoles: ["cluster-admin"] # default kubeconfig cluster-admin role keeps getting locked out from `watch` operations like `k9s`
       webhooks:
         - objectSelector:
             matchExpressions:
+              - key: "kyverno.home.arpa/exclude"
+                operator: "DoesNotExist"
               - key: "kubernetes.io/hostname"
                 operator: "DoesNotExist"
+              - key: "kubernetes.io/bootstrapping"
+                operator: "NotIn"
+                value: "rbac-defaults"
     admissionController:
       replicas: 3
       priorityClassName: "system-node-critical"
       apiPriorityAndFairness: true
-      hostNetwork: true
-      dnsPolicy: "ClusterFirstWithHostNet"
+      # hostNetwork: true
+      # dnsPolicy: "ClusterFirstWithHostNet"
       tolerations:
         - key: "node-role.kubernetes.io/control-plane"
           operator: "Exists"