mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
add allowExistingViolations option in policy chart (#11656)
Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field. Signed-off-by: ProbstenHias <matthias.weilinger@gmx.de> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Matthias Weilinger
GitHub
parent
d100202d22
commit
bb3e7d9ddc
20 changed files with 27 additions and 0 deletions
|
|
@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
|
||||
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
|
||||
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
|
||||
| validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. |
|
||||
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
|
||||
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
|
||||
| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
|
||||
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
||||
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
|
||||
pattern:
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
|
||||
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
|
||||
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
|
||||
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Changing the proc mount from the default is not allowed. The fields
|
||||
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Setting the SELinux type is restricted. The fields
|
||||
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
|
||||
|
|
@ -98,6 +99,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Setting the SELinux user or role is forbidden. The fields
|
||||
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Specifying other AppArmor profiles is disallowed. The annotation
|
||||
`container.apparmor.security.beta.kubernetes.io` if defined
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Use of custom Seccomp profiles is disallowed. The fields
|
||||
spec.securityContext.seccompProfile.type,
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Setting additional sysctls above the allowed type is disallowed.
|
||||
The field spec.securityContext.sysctls must be unset or not use any other names
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Running with root group IDs is disallowed. The fields
|
||||
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
|
||||
|
|
@ -107,6 +108,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Containers cannot run with a root primary or supplementary GID. The field
|
||||
spec.securityContext.supplementalGroups must be unset or
|
||||
|
|
@ -137,6 +139,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Containers cannot run with a root primary or supplementary GID. The field
|
||||
spec.securityContext.fsGroup must be unset or set to a value greater than zero.
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Containers must drop `ALL` capabilities.
|
||||
foreach:
|
||||
|
|
@ -122,6 +123,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Any capabilities added other than NET_BIND_SERVICE are disallowed.
|
||||
foreach:
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Privilege escalation is disallowed. The fields
|
||||
spec.containers[*].securityContext.allowPrivilegeEscalation,
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Running as root is not allowed. The fields spec.securityContext.runAsUser,
|
||||
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
|
||||
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Use of custom Seccomp profiles is disallowed. The fields
|
||||
spec.securityContext.seccompProfile.type,
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@ spec:
|
|||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||
message: >-
|
||||
Only the following types of volumes may be used: configMap, csi, downwardAPI,
|
||||
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
|
||||
|
|
|
|||
|
|
@ -55,6 +55,10 @@ validationFailureActionOverrides:
|
|||
# namespaces:
|
||||
# - fluent
|
||||
|
||||
# -- Validate already existing resources.
|
||||
# For more info https://kyverno.io/docs/writing-policies/validate.
|
||||
validationAllowExistingViolations: true
|
||||
|
||||
# -- Exclude resources from individual policies.
|
||||
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
|
||||
policyExclude: {}
|
||||
|
|
|
|||
Loading…
Reference in a new issue