Default exclusions in webhooks (#9948)

2025-03-30 03:15:05 +00:00 · 2024-03-27 09:49:36 -04:00 · 2024-03-27 09:49:36 -04:00 · 299e4a0829
commit 299e4a0829
parent 8369ab6ee1
4 changed files with 13 additions and 15 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -293,8 +293,8 @@ The chart values are organised per component.
 | config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
-| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
-| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
+| config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
 | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
 | config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |
 | config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
--- a/charts/kyverno/templates/NOTES.txt
+++ b/charts/kyverno/templates/NOTES.txt
@ -43,6 +43,4 @@ The following components have been installed in your cluster:
 ⚠️  WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
 {{- end }}

-💡 Note: If Kyverno has been installed on AKS, it is likely you will need to disable the Admission Enforcer. Please see the Kyverno documentation at https://kyverno.io/docs/installation/platform-notes/#notes-for-aks-users for more details.
-
 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -320,15 +320,14 @@ config:
  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
  # will be forwarded to the webhook configurations.
  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
-  webhooks: []
+  webhooks:
    # Exclude namespaces
-    # - namespaceSelector:
-    #     matchExpressions:
-    #     - key: kubernetes.io/metadata.name
-    #       operator: NotIn
-    #       values:
-    #         - kube-system
-    #         - kyverno
+    - namespaceSelector:
+        matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
    # Exclude objects
    # - objectSelector:
    #     matchExpressions:
@ -336,9 +335,9 @@ config:
    #       operator: DoesNotExist

  # -- Defines annotations to set on webhook configurations.
-  webhookAnnotations: {}
+  webhookAnnotations:
    # Example to disable admission enforcer on AKS:
-    # 'admissions.enforcer/disabled': 'true'
+    'admissions.enforcer/disabled': 'true'

  # -- Defines labels to set on webhook configurations.
  webhookLabels: {}
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -188,7 +188,8 @@ data:
    [ServiceMonitor,kyverno,kyverno-reports-controller]
    [Secret,kyverno,kyverno-svc.kyverno.svc.*]
    [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
-  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
+  webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
+  webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
 ---
 apiVersion: v1
 kind: ConfigMap