diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 3819fa956b..d92a76e99f 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -99,7 +99,7 @@ config:
- "[*,kyverno,*]"
# Or give the name of an existing config map (ignores default/provided resourceFilters)
existingConfig: ''
- excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
+ excludeGroupRole: ''
# existingConfig: init-config
service:
diff --git a/definitions/install.yaml b/definitions/install.yaml
index d47e77e8c0..3985976273 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -766,7 +766,7 @@ spec:
containers:
- args:
- --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
- - --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler"
+ - --excludeGroupRole=""
- -v=2
env:
- name: INIT_CONFIG
diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml
index fc772579b6..7a224434fd 100644
--- a/definitions/manifest/deployment.yaml
+++ b/definitions/manifest/deployment.yaml
@@ -31,7 +31,7 @@ spec:
#- "--webhooktimeout=4"
# enable profiling
# - "--profile"
- - --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler"
+ - --excludeGroupRole=""
- "-v=2"
ports:
- containerPort: 443
diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go
index d03f8558cf..963d6a7a28 100644
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@@ -19,6 +19,8 @@ import (
// this configmap stores the resources that are to be filtered
const cmNameEnv string = "INIT_CONFIG"
+var defaultExcludeGroupRole []string = []string{"system:serviceaccounts:kube-system", "system:nodes","system:kube-scheduler"}
+
// ConfigData stores the configuration
type ConfigData struct {
client kubernetes.Interface
@@ -223,13 +225,14 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
// update filters
cd.filters = newFilters
}
- excludeGroupRoles := parseRbac(excludeGroupRole)
- if reflect.DeepEqual(excludeGroupRoles, cd.excludeGroupRole) {
+ newExcludeGroupRoles := parseRbac(excludeGroupRole)
+ newExcludeGroupRoles = append(newExcludeGroupRoles,defaultExcludeGroupRole...)
+ if reflect.DeepEqual(newExcludeGroupRoles, cd.excludeGroupRole) {
logger.V(4).Info("excludeGroupRole did not change")
}else{
- logger.V(2).Info("Updated resource excludeGroupRoles", "oldExcludeGroupRole", cd.excludeGroupRole, "newExcludeGroupRole", excludeGroupRoles)
+ logger.V(2).Info("Updated resource excludeGroupRoles", "oldExcludeGroupRole", cd.excludeGroupRole, "newExcludeGroupRole", newExcludeGroupRoles)
// update filters
- cd.excludeGroupRole = excludeGroupRoles
+ cd.excludeGroupRole = newExcludeGroupRoles
}
excludeUsernames := parseRbac(excludeUsername)
@@ -267,6 +270,7 @@ func (cd *ConfigData) initRbac(action,exclude string) {
// update filters
if action == "excludeRoles" {
cd.excludeGroupRole = rbac
+ cd.excludeGroupRole = append(cd.excludeGroupRole,defaultExcludeGroupRole...)
}else{
cd.excludeUsername = rbac
}
@@ -281,6 +285,7 @@ func (cd *ConfigData) unload(cm v1.ConfigMap) {
defer cd.mux.Unlock()
cd.filters = []k8Resource{}
cd.excludeGroupRole = []string{}
+ cd.excludeGroupRole = append(cd.excludeGroupRole,defaultExcludeGroupRole...)
cd.excludeUsername = []string{}
}
@@ -320,10 +325,5 @@ func parseKinds(list string) []k8Resource {
}
func parseRbac(list string) []string {
- elements := strings.Split(list, ",")
- var exclude []string
- for _,e := range elements {
- exclude = append(exclude,e)
- }
- return exclude
+ return strings.Split(list, ",")
}
\ No newline at end of file