diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40170dd43..d42006363 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Adding iPolicyExceptions for `cloud-provider-cloud-director-app`.
+
 ## [0.15.2] - 2023-09-01
 
 ### Changed
diff --git a/helm/kyverno/templates/core-policies/vsphere/cloud-provider-for-vsphere-pss-exceptions.yaml b/helm/kyverno/templates/core-policies/vsphere/cloud-provider-for-vsphere-pss-exceptions.yaml
new file mode 100644
index 000000000..796dbc211
--- /dev/null
+++ b/helm/kyverno/templates/core-policies/vsphere/cloud-provider-for-vsphere-pss-exceptions.yaml
@@ -0,0 +1,34 @@
+{{- if .Values.policyExceptions.enableVsphereProviderPolex }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: vsphere-cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kyverno-stack.labels" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - kube-system
+        names:
+        - cloud-provider-for-vsphere*
+{{- end }}
diff --git a/helm/kyverno/templates/core-policies/vsphere/kube-vip-cloud-provider-pss-exceptions.yaml b/helm/kyverno/templates/core-policies/vsphere/kube-vip-cloud-provider-pss-exceptions.yaml
new file mode 100644
index 000000000..1b02140f1
--- /dev/null
+++ b/helm/kyverno/templates/core-policies/vsphere/kube-vip-cloud-provider-pss-exceptions.yaml
@@ -0,0 +1,34 @@
+{{- if .Values.policyExceptions.enableVsphereProviderPolex }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: kube-vip-cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kyverno-stack.labels" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - kube-system
+        names:
+        - kube-vip-cloud-provider*
+{{- end }}
diff --git a/helm/kyverno/templates/core-policies/vsphere/kube-vip-pss-exceptions.yaml b/helm/kyverno/templates/core-policies/vsphere/kube-vip-pss-exceptions.yaml
new file mode 100644
index 000000000..393c2ed10
--- /dev/null
+++ b/helm/kyverno/templates/core-policies/vsphere/kube-vip-pss-exceptions.yaml
@@ -0,0 +1,55 @@
+{{- if .Values.policyExceptions.enableVsphereProviderPolex }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: kube-vip-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kyverno-stack.labels" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-capabilities
+    ruleNames:
+    - autogen-adding-capabilities
+    - adding-capabilities
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - autogen-require-drop-all
+    - require-drop-all
+    - autogen-adding-capabilities-strict
+    - adding-capabilities-strict
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - autogen-host-namespaces
+    - host-namespaces
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - autogen-privilege-escalation
+    - privilege-escalation
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - autogen-run-as-non-root
+    - run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - autogen-check-seccomp-strict
+    - check-seccomp-strict
+  - policyName: restrict-image-registries
+    ruleNames:
+    - autogen-validate-registries
+    - validate-registries
+  - policyName: restrict-volume-types
+    ruleNames:
+    - autogen-restricted-volumes
+    - restricted-volumes
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - Pod
+        namespaces:
+        - kube-system
+        names:
+        - kube-vip-svc-lb*
+{{- end }}
diff --git a/helm/kyverno/templates/core-policies/vsphere/vsphere-csi-driver-pss-exceptions.yaml b/helm/kyverno/templates/core-policies/vsphere/vsphere-csi-driver-pss-exceptions.yaml
new file mode 100644
index 000000000..0609f9fe6
--- /dev/null
+++ b/helm/kyverno/templates/core-policies/vsphere/vsphere-csi-driver-pss-exceptions.yaml
@@ -0,0 +1,55 @@
+{{- if .Values.policyExceptions.enableVsphereProviderPolex }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: vsphere-csi-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kyverno-stack.labels" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-privileged-containers
+    ruleNames:
+    - autogen-privileged-containers
+    - privileged-containers
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - Deployment
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - kube-system
+        names:
+        - vsphere-csi*
+{{- end }}
diff --git a/helm/kyverno/values.schema.json b/helm/kyverno/values.schema.json
index a96e59600..df77c74d1 100644
--- a/helm/kyverno/values.schema.json
+++ b/helm/kyverno/values.schema.json
@@ -2211,6 +2211,9 @@
                 "enableChartOperatorPolex": {
                     "type": "boolean"
                 },
+                "enableVsphereProviderPolex": {
+                    "type": "boolean"
+                },
                 "enableNoisyContextsPolicy": {
                     "type": "boolean"
                 },
diff --git a/helm/kyverno/values.yaml b/helm/kyverno/values.yaml
index a43010220..cc3f1923d 100644
--- a/helm/kyverno/values.yaml
+++ b/helm/kyverno/values.yaml
@@ -61,6 +61,9 @@ policyExceptions:
   # Deploy a PolicyException for chart-operator (required for Giant Swarm clusters).
   enableChartOperatorPolex: true
 
+  # Deploy PolicyExceptions for vsphere provider - cpi, kubevip, etc. (required for Giant Swarm clusters).
+  enableVsphereProviderPolex: false
+
   # Deploy a ClusterPolicy which prevents other Policies and ClusterPolicies from matching all resource types.
   # Matching all (*) kinds results in excessive and unnecessary admission review load.
   enableWildcardMatchPolicy: true