apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:resources:view
  labels:
    rbac.kyverno.io/aggregate-to-admission-controller: "true"
    rbac.kyverno.io/aggregate-to-reports-controller: "true"
    rbac.kyverno.io/aggregate-to-background-controller: "true"
    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
rules:
- apiGroups:
  - ''
  resources:
  - secrets
  - pod
  - replicaset
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno:resources:manage
  labels:
    rbac.kyverno.io/aggregate-to-background-controller: "true"
    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
rules:
- apiGroups:
  - ''
  resources:
  - secrets
  - pod
  - replicaset
  verbs:
  - create
  - update
  - delete
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: sync-secret-with-multi-clone
spec:
  rules:
  - name: sync-secrets
    match:
      any:
      - resources:
          kinds:
          - Namespace
    exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - trivy-system
          - monitoring
          - argocd
          - cert-manager
          - kyverno
          - default
          - cilium-secrets
          - kube-public
          - kyverno
    generate:
      generateExisting: false
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      cloneList:
        namespace: secrets
        kinds:
        - v1/Secret
        selector:
          matchLabels:
            allowedToBeCloned: "true"