apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: sync-secret-with-multi-clone
spec:
  rules:
  - name: sync-secrets
    skipBackgroundRequests: true
    match:
      any:
      - resources:
          kinds:
          - Namespace
    exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - monitoring
          - argocd
          - cert-manager
          - kyverno
          - default
          - cilium-secrets
          - kube-public
          - kyverno
    generate:
      generateExisting: false
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      cloneList:
        namespace: secrets
        kinds:
        - v1/Secret
        selector:
          matchLabels:
            allowedToBeCloned: "true"