order

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -10,18 +10,47 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-      Injects an auth sidecar container into Pods annotated with
+      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer and a NetworkPolicy is generated to restrict ingress to the sidecar port only. If the auth-tokens Secret does not exist in the namespace, an empty one is created to prevent volume mount failures. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations. When auth-upstream-url is not set, the first containerPort of the first existing container is used.
-      policies.forteapps.io/auth: "true". The sidecar proxies requests through
-      a token-based auth layer and a NetworkPolicy is generated to restrict
-      ingress to the sidecar port only. If the auth-tokens Secret does not
-      exist in the namespace, an empty one is created to prevent volume mount
-      failures. Upstream URL and image can be overridden via
-      policies.forteapps.io/auth-upstream-url and
-      policies.forteapps.io/auth-image annotations. When auth-upstream-url is
-      not set, the first containerPort of the first existing container is used.
 spec:
   background: false
   rules:
+  - name: generate-auth-tokens-secret
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: In
+        value:
+        - CREATE
+    generate:
+      synchronize: false
+      apiVersion: v1
+      kind: Secret
+      name: auth-tokens
+      namespace: "{{ request.namespace }}"
+      data:
+        metadata:
+          labels:
+            app.kubernetes.io/managed-by: kyverno
+            app.kubernetes.io/created-by: inject-auth-sidecar
+        type: Opaque
+        data: {}
   - name: inject-sidecar
     skipBackgroundRequests: true
     match:
@@ -97,43 +126,6 @@ spec:
             secret:
               secretName: auth-tokens
               optional: true
-  - name: generate-auth-tokens-secret
-    skipBackgroundRequests: true
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-          annotations:
-            policies.forteapps.io/auth: "true"
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - kube-system
-          - kyverno
-          - argocd
-          - cert-manager
-          - monitoring
-    preconditions:
-      all:
-      - key: "{{ request.operation }}"
-        operator: In
-        value:
-        - CREATE
-    generate:
-      synchronize: false
-      apiVersion: v1
-      kind: Secret
-      name: auth-tokens
-      namespace: "{{ request.namespace }}"
-      data:
-        metadata:
-          labels:
-            app.kubernetes.io/managed-by: kyverno
-            app.kubernetes.io/created-by: inject-auth-sidecar
-        type: Opaque
-        data: {}
   - name: generate-auth-network-policy
     skipBackgroundRequests: true
     match:
@@ -171,8 +163,7 @@ spec:
             app.kubernetes.io/created-by: inject-auth-sidecar
         spec:
           podSelector:
-            matchLabels:
+            matchLabels: "{{ request.object.metadata.labels }}"
-              "{{ request.object.metadata.labels }}"
           policyTypes:
           - Ingress
           ingress: