First trial of sync hook to annotate system ns

charts/kubezero-kiam/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-kiam
 description: KubeZero Umbrella Chart for Kiam
 type: application
-version: 0.2.0
+version: 0.2.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/logo_small.png
 keywords:

charts/kubezero-kiam/templates/postsync-ns.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kiam-kube-system-ns-annotation
+  namespace: kube-system
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+  labels:
+    app.kubernetes.io/name: {{ .name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: kubezero
+spec:
+  template:
+    spec:
+      serviceAccountName: default
+      containers:
+        - name: kubectl
+          image: "bitnami/kubectl:latest"
+          imagePullPolicy: "IfNotPresent"
+          command:
+          - /bin/sh
+          - -c
+          - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*'
+      restartPolicy: Never