From 6cf0f36339f2df55f223fe30ee07e4168b9e1f22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 18 May 2023 00:23:30 +0200 Subject: [PATCH] fix: do not exclude kube-system service accounts by default (#7225) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 4 ++-- charts/kyverno/values.yaml | 5 ++--- config/install-latest-testing.yaml | 3 +-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 89027acceb..60bf08318d 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -258,8 +258,8 @@ The chart values are organised per component. | config.annotations | object | `{}` | Additional annotations to add to the configmap. | | config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. | | config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. | -| config.excludeGroups | list | `["system:serviceaccounts:kube-system","system:nodes"]` | Exclude groups | -| config.excludeUsernames | list | `["!system:kube-scheduler"]` | Exclude usernames | +| config.excludeGroups | list | `["system:nodes"]` | Exclude groups | +| config.excludeUsernames | list | `[]` | Exclude usernames | | config.excludeRoles | list | `[]` | Exclude roles | | config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 2ee1650a9a..a8d4cfe7bd 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -55,12 +55,11 @@ config: # -- Exclude groups excludeGroups: - - system:serviceaccounts:kube-system - system:nodes # -- Exclude usernames - excludeUsernames: - - '!system:kube-scheduler' + excludeUsernames: [] + # - '!system:kube-scheduler' # -- Exclude roles excludeRoles: [] diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index e219b3736e..e742f23aeb 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -76,8 +76,7 @@ data: enableDefaultRegistryMutation: "true" defaultRegistry: "docker.io" generateSuccessEvents: "false" - excludeGroups: "system:serviceaccounts:kube-system,system:nodes" - excludeUsernames: "!system:kube-scheduler" + excludeGroups: "system:nodes" resourceFilters: >- [*/*,kyverno,*] [Event,*,*]