diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
index 964dfb18a4..0856a663f7 100644
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@@ -67,6 +67,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `policyExclude` | Exclude resources from individual policies | `{}` |
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
+| `validationFailureActionOverrides` | Set validate failure action overrides to either all policies or select policies. See: https://kyverno.io/docs/writing-policies/validate/ | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
diff --git a/charts/kyverno-policies/ci/test-values.yaml b/charts/kyverno-policies/ci/test-values.yaml
index 9788cebfe0..a7c69adb5e 100644
--- a/charts/kyverno-policies/ci/test-values.yaml
+++ b/charts/kyverno-policies/ci/test-values.yaml
@@ -1,6 +1,15 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
+validationFailureActionOverrides:
+ all:
+ - action: audit
+ namespaces:
+ - ingress-nginx
+ disallow-host-path:
+ - action: audit
+ namespaces:
+ - fluent
policyExclude:
disallow-host-path:
any:
diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
index f8923f2364..fdf232ecc5 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -19,6 +19,9 @@ metadata:
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: adding-capabilities
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
index bfb4053b72..bbb825d931 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@@ -20,6 +20,9 @@ metadata:
fields which make use of these host namespaces are unset or set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: host-namespaces
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
index d16219fcac..3b564d4989 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@@ -19,6 +19,9 @@ metadata:
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: host-path
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
index a91b7a275e..1f0d489a53 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@@ -19,6 +19,9 @@ metadata:
field is unset or set to `0`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: host-ports-none
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
index 7f834fb229..ac53abc036 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@@ -20,6 +20,9 @@ metadata:
the `hostProcess` field, if present, is set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: host-process-containers
diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
index 539e05ea17..8e1c3fef6a 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@@ -18,6 +18,9 @@ metadata:
ensures Pods do not call for privileged mode.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: privileged-containers
diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
index 2978933308..2a1d7607d2 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@@ -20,6 +20,9 @@ metadata:
server.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: check-proc-mount
diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
index 77332903a5..a6642a53ea 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@@ -18,6 +18,9 @@ metadata:
ensures that the `seLinuxOptions` field is undefined.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: selinux-type
diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
index 43b9d1a171..5dfb68db15 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@@ -21,6 +21,9 @@ metadata:
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: app-armor
diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
index bab2e57c46..b9a4aff4bc 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@@ -20,6 +20,9 @@ metadata:
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
rules:
- name: check-seccomp
match:
diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
index fcf36d598b..70ff5bd7c4 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@@ -22,6 +22,9 @@ metadata:
a Pod.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: check-sysctls
diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
index b1c776c652..a681d92573 100644
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@@ -20,6 +20,9 @@ metadata:
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: check-runasgroup
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index 6655b071eb..440637ad9a 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -20,6 +20,9 @@ metadata:
all containers must explicitly drop `ALL` capabilities.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: require-drop-all
diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
index 264b5df41b..eeb780c546 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@@ -18,6 +18,9 @@ metadata:
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: privilege-escalation
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
index 2ceba4feaf..d03392ef61 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@@ -18,6 +18,9 @@ metadata:
`runAsUser` is either unset or set to a number greater than zero.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: run-as-non-root-user
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
index f64acdad2f..edf22b19d0 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@@ -19,6 +19,9 @@ metadata:
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: run-as-non-root
diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
index e6962ec1bc..d99b38da92 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@@ -22,6 +22,9 @@ metadata:
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
rules:
- name: check-seccomp-strict
match:
diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
index 9352f281b7..a45f54d371 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -21,6 +21,9 @@ metadata:
This policy blocks any other type of volume other than those in the allow list.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+ validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
+ {{- end }}
background: true
rules:
- name: restricted-volumes
diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml
index 9269cfdada..452ca5b3d9 100644
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@@ -13,6 +13,20 @@ includeOtherPolicies: []
# Supported values- `audit`, `enforce`
# For more info- https://kyverno.io/docs/writing-policies/validate/
validationFailureAction: audit
+# Define validationFailureActionOverrides for specific policies.
+# The overrides for 'all' will apply to all policies
+# Eg:
+# validationFailureActionOverrides:
+# all:
+# - action: audit
+# namespaces:
+# - ingress-nginx
+# disallow-host-path:
+# - action: audit
+# namespaces:
+# - fluent
+validationFailureActionOverrides:
+ all: []
# Exclude resources from individual policies
# Eg:
# policyExclude: