Update the doc on how excluded userInfo flags (#1035)

* flags description added in documentation * added exclude group role * small docs changes
2025-03-31 03:45:17 +00:00 · 2020-08-14 00:29:17 +05:30 · 2020-08-14 00:29:17 +05:30 · 6c174b19d1
commit 6c174b19d1
parent d2ac5b829b
1 changed files with 6 additions and 0 deletions
--- a/documentation/installation.md
+++ b/documentation/installation.md
@ -32,6 +32,12 @@ The Kyverno policy engine runs as an admission webhook and requires a CA-signed

 There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver.

+### Kyverno Flags 
+
+1. `excludeGroupRole` : excludeGroupRole role expected string with Comma seperated group role. It will exclude all the group role from the user request. Default we are using `system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler`.
+2. `excludeUsername` : excludeUsername expected string with Comma seperated kubernetes username. In generate request if user enable `Synchronize` in generate policy then only kyverno can update/delete generated resource but admin can exclude specific username who have access of delete/update generated resource.
+3. `filterK8Resources`: k8s resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. For example --filterKind "[Deployment, kyverno, kyverno]" --filterKind "[Deployment, kyverno, kyverno],[Events, *, *].
+
 ### Option 1: Use kube-controller-manager to generate a CA-signed certificate

 Kyverno can request a CA signed certificate-key pair from `kube-controller-manager`. This method requires that the kube-controller-manager is configured to act as a certificate signer. To verify that this option is enabled for your cluster, check the command-line args for the kube-controller-manager. If `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your CA's key-pair, then you can proceed to install Kyverno using this method.