1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00

add allowExistingViolations option in policy chart (#11656)

Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field.

Signed-off-by: ProbstenHias <matthias.weilinger@gmx.de>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Matthias Weilinger 2024-12-02 04:50:26 +01:00 committed by GitHub
parent d100202d22
commit bb3e7d9ddc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 27 additions and 0 deletions

View file

@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | | validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. | | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. | | autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |

View file

@ -68,6 +68,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)

View file

@ -52,6 +52,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork, Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`. spec.hostIPC, and spec.hostPID must be unset or set to `false`.

View file

@ -51,6 +51,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
pattern: pattern:

View file

@ -51,6 +51,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort

View file

@ -52,6 +52,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,

View file

@ -50,6 +50,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.

View file

@ -52,6 +52,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Changing the proc mount from the default is not allowed. The fields Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,

View file

@ -50,6 +50,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Setting the SELinux type is restricted. The fields Setting the SELinux type is restricted. The fields
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
@ -98,6 +99,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Setting the SELinux user or role is forbidden. The fields Setting the SELinux user or role is forbidden. The fields
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,

View file

@ -53,6 +53,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Specifying other AppArmor profiles is disallowed. The annotation Specifying other AppArmor profiles is disallowed. The annotation
`container.apparmor.security.beta.kubernetes.io` if defined `container.apparmor.security.beta.kubernetes.io` if defined

View file

@ -51,6 +51,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Use of custom Seccomp profiles is disallowed. The fields Use of custom Seccomp profiles is disallowed. The fields
spec.securityContext.seccompProfile.type, spec.securityContext.seccompProfile.type,

View file

@ -54,6 +54,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Setting additional sysctls above the allowed type is disallowed. Setting additional sysctls above the allowed type is disallowed.
The field spec.securityContext.sysctls must be unset or not use any other names The field spec.securityContext.sysctls must be unset or not use any other names

View file

@ -52,6 +52,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Running with root group IDs is disallowed. The fields Running with root group IDs is disallowed. The fields
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
@ -107,6 +108,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Containers cannot run with a root primary or supplementary GID. The field Containers cannot run with a root primary or supplementary GID. The field
spec.securityContext.supplementalGroups must be unset or spec.securityContext.supplementalGroups must be unset or
@ -137,6 +139,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Containers cannot run with a root primary or supplementary GID. The field Containers cannot run with a root primary or supplementary GID. The field
spec.securityContext.fsGroup must be unset or set to a value greater than zero. spec.securityContext.fsGroup must be unset or set to a value greater than zero.

View file

@ -69,6 +69,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Containers must drop `ALL` capabilities. Containers must drop `ALL` capabilities.
foreach: foreach:
@ -122,6 +123,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed. Any capabilities added other than NET_BIND_SERVICE are disallowed.
foreach: foreach:

View file

@ -50,6 +50,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Privilege escalation is disallowed. The fields Privilege escalation is disallowed. The fields
spec.containers[*].securityContext.allowPrivilegeEscalation, spec.containers[*].securityContext.allowPrivilegeEscalation,

View file

@ -50,6 +50,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Running as root is not allowed. The fields spec.securityContext.runAsUser, Running as root is not allowed. The fields spec.securityContext.runAsUser,
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,

View file

@ -51,6 +51,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,

View file

@ -53,6 +53,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Use of custom Seccomp profiles is disallowed. The fields Use of custom Seccomp profiles is disallowed. The fields
spec.securityContext.seccompProfile.type, spec.securityContext.seccompProfile.type,

View file

@ -70,6 +70,7 @@ spec:
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }} failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }} {{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >- message: >-
Only the following types of volumes may be used: configMap, csi, downwardAPI, Only the following types of volumes may be used: configMap, csi, downwardAPI,
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.

View file

@ -55,6 +55,10 @@ validationFailureActionOverrides:
# namespaces: # namespaces:
# - fluent # - fluent
# -- Validate already existing resources.
# For more info https://kyverno.io/docs/writing-policies/validate.
validationAllowExistingViolations: true
# -- Exclude resources from individual policies. # -- Exclude resources from individual policies.
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. # Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
policyExclude: {} policyExclude: {}