apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: {{ .name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: kubezero name: kiam-namespace-annotate --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: {{ .name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: kubezero name: kiam-namespace-annotate rules: - apiGroups: - "" resources: - namespaces verbs: - update - patch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: {{ .name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: kubezero name: kiam-namespace-annotate roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kiam-namespace-annotate subjects: - kind: ServiceAccount name: kiam-namespace-annotate namespace: kube-system --- apiVersion: batch/v1 kind: Job metadata: name: kiam-kube-system-ns-annotation namespace: kube-system annotations: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/hook-delete-policy: HookSucceeded labels: app.kubernetes.io/name: {{ .name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: kubezero spec: template: spec: serviceAccountName: kiam-namespace-annotate containers: - name: kubectl image: "bitnami/kubectl:latest" imagePullPolicy: "IfNotPresent" command: - /bin/sh - -c - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' restartPolicy: Never