kyverno: exclude calico-system from inject-keel-annotations

Stop the hourly Keel-vs-tigera-operator fight loop on calico-node DaemonSet (v3.26.5 ↔ v3.26.1). Live: re-annotated 4 calico-system workloads with keel.sh/policy=never; TF: added calico-system to the namespaces exclude list so any future mutate run won't re-inject. The previous calico unenrollment (label removal from namespace) wasn't enough — once Kyverno had stamped the policy=patch annotation on the Deployments/DaemonSets, removing the namespace label didn't strip the annotation, so Keel kept watching them. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 22:58:20 +00:00 · 2026-05-16 22:58:20 +00:00 · ec60af5fd4
commit ec60af5fd4
parent b48ddc09d6
1 changed files with 6 additions and 1 deletions
--- a/stacks/kyverno/modules/kyverno/keel-annotations.tf
+++ b/stacks/kyverno/modules/kyverno/keel-annotations.tf
@ -49,7 +49,12 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" {
          any = [
            {
              resources = {
-                namespaces = ["keel"]
+                # Keel must not auto-update itself (decision #11).
+                # calico-system: managed by tigera-operator via Installation CR.
+                #   Keel rewriting the calico-node DaemonSet image causes an
+                #   hourly fight loop (Keel → v3.26.5, operator → v3.26.1).
+                #   Calico version is bumped manually via the Installation CR.
+                namespaces = ["keel", "calico-system"]
              }
            },
            {