{{- if .Values.generateNetworkPolicy.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-default-networkpolicy
  annotations:
    policies.kyverno.io/title: "Генерация NetworkPolicy по умолчанию"
    policies.kyverno.io/category: Security
    policies.kyverno.io/severity: high
    policies.kyverno.io/version: {{ .Chart.Version }}
    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
spec:
  rules:
  - name: generate-deny-all
    match:
      resources:
        kinds:
        - Namespace
    exclude:
      resources:
        names:
        {{- range (concat .Values.global.excludedNamespaces .Values.generateNetworkPolicy.excludedNamespaces) | uniq }}
        - {{ . }}
        {{- end }}
    generate:
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: default-deny-all
      namespace: "{{ "{{" }} request.object.metadata.name {{ "}}" }}"
      synchronize: true
      data:
        kind: NetworkPolicy
        apiVersion: networking.k8s.io/v1
        metadata:
          name: default-deny-all
          labels:
            generated-by: kyverno
            helm-release: {{ .Release.Name }}
        spec:
          podSelector: {}
          policyTypes:
          - Ingress
          - Egress
{{- end }}