From 835afaef499c8fbc2fd531f7260524bc9339aa7a Mon Sep 17 00:00:00 2001
From: "Radek Schekalla (SAP)" <radek.schekalla@sap.com>
Date: Wed, 12 Nov 2025 15:34:01 +0100
Subject: [PATCH 1/4] feat: set default values for kyverno if activated via env
 var

On-behalf-of: Radek Schekalla (SAP) <radek.schekalla@sap.com>
Signed-off-by: Radek Schekalla (SAP) <radek.schekalla@sap.com>
---
 .../core/cloudorchestrator/controller.go      | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/internal/controller/core/cloudorchestrator/controller.go b/internal/controller/core/cloudorchestrator/controller.go
index 7b01414..270c4d7 100644
--- a/internal/controller/core/cloudorchestrator/controller.go
+++ b/internal/controller/core/cloudorchestrator/controller.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -42,6 +43,43 @@ import (
 const (
 	defaultNamespace string = "openmcp-system" // TODO make this configurable
 	ControllerName   string = "CloudOrchestrator"
+
+	envEnableKyvernoDefaultValues string = "ENABLE_KYVERNO_DEFAULT_VALUES"
+	kyvernoDefaultValues          string = `{
+  "config": {
+    "excludeGroups": [
+      "system:nodes"
+    ],
+    "preserve": false,
+    "resourceFilters": [
+      "[*/*,kyverno,*]",
+      "[*/*,istio-system,*]",
+      "[*/*,kyma-system,*]",
+      "[*/*,kube-system,*]",
+      "[*/*,kube-public,*]",
+      "[*/*,neo-core,*]"
+    ],
+    "updateRequestThreshold": 5000,
+    "webhooks": {
+      "namespaceSelector": {
+        "matchExpressions": [
+          {
+            "key": "kubernetes.io/metadata.name",
+            "operator": "NotIn",
+            "values": [
+              "kube-system",
+              "kyverno",
+              "istio-system",
+              "kube-public",
+              "kyma-system",
+              "neo-core"
+            ]
+          }
+        ]
+      }
+    }
+  }
+}`
 )
 
 var (
@@ -367,8 +405,14 @@ func convertToControlPlaneSpec(coSpec *openmcpv1alpha1.CloudOrchestratorSpec, ap
 	}
 
 	if coSpec.Kyverno != nil {
+		var values *apiextensionsv1.JSON
+		if os.Getenv(envEnableKyvernoDefaultValues) == "true" {
+			values = &apiextensionsv1.JSON{Raw: []byte(kyvernoDefaultValues)}
+		}
+
 		controlPlaneSpec.Kyverno = &corev1beta1.KyvernoConfig{
 			Version: coSpec.Kyverno.Version,
+			Values:  values,
 		}
 	}
 

From 478a07240b70b38a91dcc0aef7450c7ca0e72db9 Mon Sep 17 00:00:00 2001
From: "Radek Schekalla (SAP)" <radek.schekalla@sap.com>
Date: Tue, 18 Nov 2025 09:29:32 +0100
Subject: [PATCH 2/4] feat: add env to helm chart deployment tempalte and
 values

On-behalf-of: Radek Schekalla (SAP) <radek.schekalla@sap.com>
Signed-off-by: Radek Schekalla (SAP) <radek.schekalla@sap.com>
---
 charts/mcp-operator/templates/deployment.yaml | 4 ++++
 charts/mcp-operator/values.yaml               | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/charts/mcp-operator/templates/deployment.yaml b/charts/mcp-operator/templates/deployment.yaml
index 0e70ce0..55d9d40 100644
--- a/charts/mcp-operator/templates/deployment.yaml
+++ b/charts/mcp-operator/templates/deployment.yaml
@@ -91,6 +91,10 @@ spec:
         {{- if .Values.apiserver.worker.intervalTime }}
         - --apiserver-worker-interval={{ .Values.apiserver.worker.intervalTime }}
         {{- end }}
+        env:
+        {{- with .Values.managedcontrolplane.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         {{- if not .Values.webhooks.disabled }}
           - name: webhooks-https
diff --git a/charts/mcp-operator/values.yaml b/charts/mcp-operator/values.yaml
index c016334..8b33d7c 100644
--- a/charts/mcp-operator/values.yaml
+++ b/charts/mcp-operator/values.yaml
@@ -54,6 +54,9 @@ webhooks:
 managedcontrolplane:
   disabled: false
 
+  # Extra environment variables to add to the init container.
+  extraEnv: [ ]
+
 apiserver:
   disabled: false
   # architecture:

From c1df795e88054b0bfeaf91c172f4c729fd089a30 Mon Sep 17 00:00:00 2001
From: rdksap <radek.schekalla@sap.com>
Date: Thu, 20 Nov 2025 14:45:32 +0100
Subject: [PATCH 3/4] Update
 internal/controller/core/cloudorchestrator/controller.go

Co-authored-by: Moritz Marby <moritz.marby@minest.de>
---
 internal/controller/core/cloudorchestrator/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controller/core/cloudorchestrator/controller.go b/internal/controller/core/cloudorchestrator/controller.go
index 270c4d7..026ef08 100644
--- a/internal/controller/core/cloudorchestrator/controller.go
+++ b/internal/controller/core/cloudorchestrator/controller.go
@@ -57,7 +57,7 @@ const (
       "[*/*,kyma-system,*]",
       "[*/*,kube-system,*]",
       "[*/*,kube-public,*]",
-      "[*/*,neo-core,*]"
+      
     ],
     "updateRequestThreshold": 5000,
     "webhooks": {

From f1a44fb0a6ab2c7544a8ca441e91e8e5764eb02f Mon Sep 17 00:00:00 2001
From: rdksap <radek.schekalla@sap.com>
Date: Thu, 20 Nov 2025 14:45:45 +0100
Subject: [PATCH 4/4] Update
 internal/controller/core/cloudorchestrator/controller.go

Co-authored-by: Moritz Marby <moritz.marby@minest.de>
---
 internal/controller/core/cloudorchestrator/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controller/core/cloudorchestrator/controller.go b/internal/controller/core/cloudorchestrator/controller.go
index 026ef08..2456864 100644
--- a/internal/controller/core/cloudorchestrator/controller.go
+++ b/internal/controller/core/cloudorchestrator/controller.go
@@ -72,7 +72,7 @@ const (
               "istio-system",
               "kube-public",
               "kyma-system",
-              "neo-core"
+              
             ]
           }
         ]