OSC · treydock · Feb 14, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.github/config/kyverno-values.yaml b/.github/config/kyverno-values.yaml
@@ -11,6 +11,19 @@ admissionController:
       loggingFormat: text
       exceptionNamespace: kyverno
       webhookTimeout: 30
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups: ['']
+          resources: ['secrets']
+          verbs: ['get', 'list']
+backgroundController:
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups: ['']
+          resources: ['secrets']
+          verbs: ['get', 'list', 'create', 'update', 'delete']
 config:
   resourceFiltersIncludeNamespaces:
   - local-path-storage

diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kyverno-policies
 description: OSC Kyverno policies deployment
 type: application
-version: 0.38.0
+version: 0.39.0
 appVersion: "v1.14.5"
 maintainers:
   - name: treydock

diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
@@ -1,6 +1,6 @@
 # kyverno-policies
 
-![Version: 0.38.0](https://img.shields.io/badge/Version-0.38.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.5](https://img.shields.io/badge/AppVersion-v1.14.5-informational?style=flat-square)
+![Version: 0.39.0](https://img.shields.io/badge/Version-0.39.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.5](https://img.shields.io/badge/AppVersion-v1.14.5-informational?style=flat-square)
 
 OSC Kyverno policies deployment
 
@@ -299,6 +299,12 @@ OSC Kyverno policies deployment
     * Validates that namespaces have a service account label set when they have the paas role
   * Applies to: Namespace with paas role
 
+#### Generate policies
+
+* [sync-secrets](./templates/sync-secrets.yaml)
+  * Generate new secret by cloning the secret in `sync-secret` namespace label
+  * Applies to: Namespace with `sync-secret` label
+
 ### KeycloakClient policies
 
 #### Validating policies

diff --git a/charts/kyverno-policies/README.md.gotmpl b/charts/kyverno-policies/README.md.gotmpl
@@ -295,6 +295,12 @@
     * Validates that namespaces have a service account label set when they have the paas role
   * Applies to: Namespace with paas role
 
+#### Generate policies
+
+* [sync-secrets](./templates/sync-secrets.yaml)
+  * Generate new secret by cloning the secret in `sync-secret` namespace label
+  * Applies to: Namespace with `sync-secret` label
+
 ### KeycloakClient policies
 
 #### Validating policies

diff --git a/charts/kyverno-policies/templates/sync-secrets.yaml b/charts/kyverno-policies/templates/sync-secrets.yaml
@@ -0,0 +1,24 @@
+# https://github.com/kyverno/policies/blob/main/other/sync-secrets/sync-secrets.yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-secrets
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      resources:
+        kinds:
+        - Namespace
+        selector:
+          matchLabels:
+            sync-secret: '*'
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.labels."sync-secret" }}`}}-gen'
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: '{{`{{ request.object.metadata.labels."sync-secret" }}`}}'
diff --git a/tests/kyverno-policies/sync-secrets/kyverno-test.yaml b/tests/kyverno-policies/sync-secrets/kyverno-test.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: sync-secrets
+policies:
+  - policy.yaml
+resources:
+  - resources.yaml
+variables: values.yaml
+results:
+  - policy: sync-secrets
+    rule: sync-image-pull-secret
+    resources:
+      - webservice
+    generatedResource: webservices-read-gen.yaml
+    cloneSourceResource: webservices-read.yaml
+    kind: Namespace
+    result: pass
+# Not working
+# https://github.com/kyverno/kyverno/issues/8942
+#  - policy: sync-secrets
+#    rule: sync-image-pull-secret
+#    resources:
+#      - paas
+#    cloneSourceResource: webservices-read.yaml
+#    kind: Namespace
+#    result: skip
+#checks:
+#- match:
+#    resource:
+#      kind: Namespace
+#      metadata:
+#        name: paas
+#    policy:
+#      kind: ClusterPolicy
+#      metadata:
+#        name: sync-secret
+#    rule:
+#      name: sync-image-pull-secret
+#  error:
+#    (status != 'pass'): true
diff --git a/tests/kyverno-policies/sync-secrets/resources.yaml b/tests/kyverno-policies/sync-secrets/resources.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: webservice
+  labels:
+    sync-secret: webservices-read
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paas
diff --git a/tests/kyverno-policies/sync-secrets/values.yaml b/tests/kyverno-policies/sync-secrets/values.yaml
@@ -0,0 +1,9 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
+namespaceSelector:
+  - name: webservice
+    labels:
+      sync-secret: webservices-read
+  - name: paas
diff --git a/tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml b/tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webservices-read-gen
+  namespace: webservice
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: supersecret
diff --git a/tests/kyverno-policies/sync-secrets/webservices-read.yaml b/tests/kyverno-policies/sync-secrets/webservices-read.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webservices-read
+  namespace: default
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: supersecret