[Helm] Added ability to remove namespaces from default resourceFilters list (#4299)

Fixes #4287 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-08-12 05:36:01 -04:00 · 2022-08-12 05:36:01 -04:00 · b02da637b2
commit b02da637b2
parent 0bb575442d
4 changed files with 15 additions and 1 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -28,3 +28,5 @@ annotations:
  artifacthub.io/changes: |
    - kind: added
      description: Added possibility to define additional init and sidecar container
+    - kind: added
+      description: Added ability to remove namespaces from default resourceFilters list
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -108,6 +108,7 @@ The command removes all the Kubernetes components associated with the chart and
 | readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
 | generatecontrollerExtraResources | string | `nil` |  |
 | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
+| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
 | config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
 | config.excludeGroupRole | string | `nil` | Exclude group role |
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -123,6 +123,13 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{- if .Values.excludeKyvernoNamespace }}
  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
 {{- end }}
+{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
+  {{- range $filter := $resourceFilters }}
+    {{- if (contains (printf ",%s," $exclude) $filter) }}
+      {{- $resourceFilters = without $resourceFilters $filter }}
+    {{- end }}
+  {{- end }}
+{{- end }}
 {{- tpl (join "" $resourceFilters) . }}
 {{- end }}

@ -136,4 +143,4 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
 {{- end }}
 {{- $newWebhook | toJson }}
-{{- end }}
+{{- end }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -230,6 +230,10 @@ generatecontrollerExtraResources:
 # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
 excludeKyvernoNamespace: true

+# -- resourceFilter namespace exclude
+# Namespaces to exclude from the default resourceFilters
+resourceFiltersExcludeNamespaces: []
+
 config:
  # -- Resource types to be skipped by the Kyverno policy engine.
  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.