mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Filter kyverno resources instead of entire kyverno namespace (#3170)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
This commit is contained in:
Abhinav Sinha
GitHub
parent
373f421b07
commit
11311a15df
6 changed files with 19 additions and 19 deletions
|
|
@ -70,7 +70,7 @@ The following table lists the configurable parameters of the kyverno chart and t
|
|||
| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` |
|
||||
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
|
||||
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
|
||||
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
|
||||
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
|
||||
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
|
||||
| `customLabels` | Additional labels | `{}` |
|
||||
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
|
||||
|
|
|
|||
|
|
@ -160,7 +160,7 @@ config:
|
|||
- "[TokenReview,*,*]"
|
||||
- "[SubjectAccessReview,*,*]"
|
||||
- "[SelfSubjectAccessReview,*,*]"
|
||||
- "[*,kyverno,*]"
|
||||
- "[*,kyverno,kyverno*]"
|
||||
- "[Binding,*,*]"
|
||||
- "[ReplicaSet,*,*]"
|
||||
- "[ReportChangeRequest,*,*]"
|
||||
|
|
|
|||
|
|
@ -2142,9 +2142,9 @@ spec:
|
|||
- enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy attribute
|
||||
that specifies ValidationFailureAction namespace-wise. It overrides
|
||||
ValidationFailureAction for the specified namespaces.
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy
|
||||
attribute that specifies ValidationFailureAction namespace-wise.
|
||||
It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -5881,9 +5881,9 @@ spec:
|
|||
- enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy attribute
|
||||
that specifies ValidationFailureAction namespace-wise. It overrides
|
||||
ValidationFailureAction for the specified namespaces.
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy
|
||||
attribute that specifies ValidationFailureAction namespace-wise.
|
||||
It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7760,7 +7760,7 @@ apiVersion: v1
|
|||
data:
|
||||
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
|
||||
generateSuccessEvents: "false"
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
|
|
@ -7878,7 +7878,7 @@ spec:
|
|||
weight: 1
|
||||
containers:
|
||||
- args:
|
||||
- --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
|
||||
- --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
|
||||
- -v=2
|
||||
env:
|
||||
- name: INIT_CONFIG
|
||||
|
|
|
|||
|
|
@ -2131,9 +2131,9 @@ spec:
|
|||
- enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy attribute
|
||||
that specifies ValidationFailureAction namespace-wise. It overrides
|
||||
ValidationFailureAction for the specified namespaces.
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy
|
||||
attribute that specifies ValidationFailureAction namespace-wise.
|
||||
It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -5846,9 +5846,9 @@ spec:
|
|||
- enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy attribute
|
||||
that specifies ValidationFailureAction namespace-wise. It overrides
|
||||
ValidationFailureAction for the specified namespaces.
|
||||
description: ValidationFailureActionOverrides is a Cluster Policy
|
||||
attribute that specifies ValidationFailureAction namespace-wise.
|
||||
It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7623,7 +7623,7 @@ apiVersion: v1
|
|||
data:
|
||||
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
|
||||
generateSuccessEvents: "false"
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
|
||||
excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
|
||||
generateSuccessEvents: 'false'
|
||||
kind: ConfigMap
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ spec:
|
|||
image: ghcr.io/kyverno/kyverno:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
|
||||
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
|
||||
# customize webhook timeout
|
||||
#- "--webhookTimeout=4"
|
||||
# enable profiling
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue