mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: filter resources names with helm custom release name (#3361)
* fix: configmap resource filters generated by helm does not account for namespace Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: ignore resources by helm chart Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
cc212ac766
commit
b0860ba177
3 changed files with 74 additions and 1 deletions
|
@ -143,6 +143,34 @@ If `createSelfSignedCert` is `true`, Helm will take care of the steps of creatin
|
|||
|
||||
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
||||
|
||||
## Default resource filters
|
||||
|
||||
[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing.
|
||||
|
||||
This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds:
|
||||
- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces
|
||||
- all resources in all namespaces for the following resource kinds:
|
||||
- `Event`
|
||||
- `Node`
|
||||
- `APIService`
|
||||
- `TokenReview`
|
||||
- `SubjectAccessReview`
|
||||
- `SelfSubjectAccessReview`
|
||||
- `Binding`
|
||||
- `ReplicaSet`
|
||||
- `ReportChangeRequest`
|
||||
- `ClusterReportChangeRequest`
|
||||
- all resources created by this chart itself
|
||||
|
||||
Those default exclusions are there to prevent disruptions as much as possible.
|
||||
Under the hood, Kyverno installs an admission controller for critical cluster resources.
|
||||
A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster.
|
||||
|
||||
You can however override the default resource filters by setting the `config.resourceFilters` stanza.
|
||||
It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map.
|
||||
|
||||
Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
|
||||
|
||||
## Source Code
|
||||
|
||||
* <https://github.com/kyverno/kyverno>
|
||||
|
|
|
@ -64,6 +64,34 @@ If `createSelfSignedCert` is `true`, Helm will take care of the steps of creatin
|
|||
|
||||
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
||||
|
||||
## Default resource filters
|
||||
|
||||
[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing.
|
||||
|
||||
This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds:
|
||||
- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces
|
||||
- all resources in all namespaces for the following resource kinds:
|
||||
- `Event`
|
||||
- `Node`
|
||||
- `APIService`
|
||||
- `TokenReview`
|
||||
- `SubjectAccessReview`
|
||||
- `SelfSubjectAccessReview`
|
||||
- `Binding`
|
||||
- `ReplicaSet`
|
||||
- `ReportChangeRequest`
|
||||
- `ClusterReportChangeRequest`
|
||||
- all resources created by this chart itself
|
||||
|
||||
Those default exclusions are there to prevent disruptions as much as possible.
|
||||
Under the hood, Kyverno installs an admission controller for critical cluster resources.
|
||||
A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster.
|
||||
|
||||
You can however override the default resource filters by setting the `config.resourceFilters` stanza.
|
||||
It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map.
|
||||
|
||||
Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
|
|
@ -216,11 +216,28 @@ config:
|
|||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
- '[*,{{ include "kyverno.namespace" . }},kyverno*]'
|
||||
- '[Binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[ReportChangeRequest,*,*]'
|
||||
- '[ClusterReportChangeRequest,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
|
||||
|
||||
# -- Name of an existing config map (ignores default/provided resourceFilters)
|
||||
existingConfig: ''
|
||||
# -- Exclude group role
|
||||
|
|
Loading…
Add table
Reference in a new issue