# infrastructure/kyverno/kustomization.yaml
# Kyverno Policy Engine - GitOps-native Kubernetes policy enforcement
# CNCF Graduated project, integrates seamlessly with ArgoCD
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: kyverno

resources:
  - namespace.yaml
  - policies/

# Kyverno deployment via Helm
helmCharts:
  - name: kyverno
    repo: https://kyverno.github.io/kyverno/
    version: "3.3.4"
    releaseName: kyverno
    namespace: kyverno
    valuesInline:
      # Admission controller replicas for HA
      admissionController:
        replicas: 3
        resources:
          limits:
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 256Mi
      # Background controller for generate/mutate policies
      backgroundController:
        replicas: 2
        resources:
          limits:
            memory: 256Mi
          requests:
            cpu: 50m
            memory: 128Mi
      # Reports controller for policy reports
      reportsController:
        replicas: 2
      # Cleanup controller
      cleanupController:
        replicas: 2
      # Enable policy exception support
      features:
        policyExceptions:
          enabled: true
          namespace: "kyverno"
      # Webhooks config
      config:
        webhooks:
          # Exclude system namespaces from validation
          - namespaceSelector:
              matchExpressions:
                - key: kubernetes.io/metadata.name
                  operator: NotIn
                  values:
                    - kube-system
                    - kube-public
                    - kube-node-lease
                    - kyverno