1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00

Filter kyverno resources instead of entire kyverno namespace (#3170)

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
This commit is contained in:
Abhinav Sinha 2022-02-04 06:08:47 +05:30 committed by GitHub
parent 373f421b07
commit 11311a15df
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 19 deletions

View file

@ -70,7 +70,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` |
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
| `customLabels` | Additional labels | `{}` |
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |

View file

@ -160,7 +160,7 @@ config:
- "[TokenReview,*,*]"
- "[SubjectAccessReview,*,*]"
- "[SelfSubjectAccessReview,*,*]"
- "[*,kyverno,*]"
- "[*,kyverno,kyverno*]"
- "[Binding,*,*]"
- "[ReplicaSet,*,*]"
- "[ReportChangeRequest,*,*]"

View file

@ -2142,9 +2142,9 @@ spec:
- enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute
that specifies ValidationFailureAction namespace-wise. It overrides
ValidationFailureAction for the specified namespaces.
description: ValidationFailureActionOverrides is a Cluster Policy
attribute that specifies ValidationFailureAction namespace-wise.
It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@ -5881,9 +5881,9 @@ spec:
- enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute
that specifies ValidationFailureAction namespace-wise. It overrides
ValidationFailureAction for the specified namespaces.
description: ValidationFailureActionOverrides is a Cluster Policy
attribute that specifies ValidationFailureAction namespace-wise.
It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@ -7760,7 +7760,7 @@ apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
generateSuccessEvents: "false"
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
labels:
@ -7878,7 +7878,7 @@ spec:
weight: 1
containers:
- args:
- --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
- --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
- -v=2
env:
- name: INIT_CONFIG

View file

@ -2131,9 +2131,9 @@ spec:
- enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute
that specifies ValidationFailureAction namespace-wise. It overrides
ValidationFailureAction for the specified namespaces.
description: ValidationFailureActionOverrides is a Cluster Policy
attribute that specifies ValidationFailureAction namespace-wise.
It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@ -5846,9 +5846,9 @@ spec:
- enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute
that specifies ValidationFailureAction namespace-wise. It overrides
ValidationFailureAction for the specified namespaces.
description: ValidationFailureActionOverrides is a Cluster Policy
attribute that specifies ValidationFailureAction namespace-wise.
It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
@ -7623,7 +7623,7 @@ apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
generateSuccessEvents: "false"
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
labels:

View file

@ -1,6 +1,6 @@
apiVersion: v1
data:
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
generateSuccessEvents: 'false'
kind: ConfigMap

View file

@ -67,7 +67,7 @@ spec:
image: ghcr.io/kyverno/kyverno:latest
imagePullPolicy: IfNotPresent
args:
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
# customize webhook timeout
#- "--webhookTimeout=4"
# enable profiling