mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
add allowExistingViolations option in policy chart (#11656)
Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field. Signed-off-by: ProbstenHias <matthias.weilinger@gmx.de> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
parent
d100202d22
commit
bb3e7d9ddc
20 changed files with 27 additions and 0 deletions
|
@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
|
| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
|
||||||
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
|
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
|
||||||
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
|
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
|
||||||
|
| validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. |
|
||||||
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
|
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
|
||||||
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
|
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
|
||||||
| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |
|
| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |
|
||||||
|
|
|
@ -68,6 +68,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
|
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
|
||||||
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
|
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
|
||||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
||||||
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
||||||
|
|
|
@ -51,6 +51,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
|
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
|
||||||
pattern:
|
pattern:
|
||||||
|
|
|
@ -51,6 +51,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
|
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
|
||||||
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
|
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
|
||||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
|
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
|
||||||
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
|
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
|
||||||
|
|
|
@ -50,6 +50,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
|
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
|
||||||
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
|
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
|
||||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Changing the proc mount from the default is not allowed. The fields
|
Changing the proc mount from the default is not allowed. The fields
|
||||||
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
|
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
|
||||||
|
|
|
@ -50,6 +50,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Setting the SELinux type is restricted. The fields
|
Setting the SELinux type is restricted. The fields
|
||||||
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
|
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
|
||||||
|
@ -98,6 +99,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Setting the SELinux user or role is forbidden. The fields
|
Setting the SELinux user or role is forbidden. The fields
|
||||||
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
|
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
|
||||||
|
|
|
@ -53,6 +53,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Specifying other AppArmor profiles is disallowed. The annotation
|
Specifying other AppArmor profiles is disallowed. The annotation
|
||||||
`container.apparmor.security.beta.kubernetes.io` if defined
|
`container.apparmor.security.beta.kubernetes.io` if defined
|
||||||
|
|
|
@ -51,6 +51,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Use of custom Seccomp profiles is disallowed. The fields
|
Use of custom Seccomp profiles is disallowed. The fields
|
||||||
spec.securityContext.seccompProfile.type,
|
spec.securityContext.seccompProfile.type,
|
||||||
|
|
|
@ -54,6 +54,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Setting additional sysctls above the allowed type is disallowed.
|
Setting additional sysctls above the allowed type is disallowed.
|
||||||
The field spec.securityContext.sysctls must be unset or not use any other names
|
The field spec.securityContext.sysctls must be unset or not use any other names
|
||||||
|
|
|
@ -52,6 +52,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Running with root group IDs is disallowed. The fields
|
Running with root group IDs is disallowed. The fields
|
||||||
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
|
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
|
||||||
|
@ -107,6 +108,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Containers cannot run with a root primary or supplementary GID. The field
|
Containers cannot run with a root primary or supplementary GID. The field
|
||||||
spec.securityContext.supplementalGroups must be unset or
|
spec.securityContext.supplementalGroups must be unset or
|
||||||
|
@ -137,6 +139,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Containers cannot run with a root primary or supplementary GID. The field
|
Containers cannot run with a root primary or supplementary GID. The field
|
||||||
spec.securityContext.fsGroup must be unset or set to a value greater than zero.
|
spec.securityContext.fsGroup must be unset or set to a value greater than zero.
|
||||||
|
|
|
@ -69,6 +69,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Containers must drop `ALL` capabilities.
|
Containers must drop `ALL` capabilities.
|
||||||
foreach:
|
foreach:
|
||||||
|
@ -122,6 +123,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Any capabilities added other than NET_BIND_SERVICE are disallowed.
|
Any capabilities added other than NET_BIND_SERVICE are disallowed.
|
||||||
foreach:
|
foreach:
|
||||||
|
|
|
@ -50,6 +50,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Privilege escalation is disallowed. The fields
|
Privilege escalation is disallowed. The fields
|
||||||
spec.containers[*].securityContext.allowPrivilegeEscalation,
|
spec.containers[*].securityContext.allowPrivilegeEscalation,
|
||||||
|
|
|
@ -50,6 +50,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Running as root is not allowed. The fields spec.securityContext.runAsUser,
|
Running as root is not allowed. The fields spec.securityContext.runAsUser,
|
||||||
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
|
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
|
||||||
|
|
|
@ -51,6 +51,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
|
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
|
||||||
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
|
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
|
||||||
|
|
|
@ -53,6 +53,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Use of custom Seccomp profiles is disallowed. The fields
|
Use of custom Seccomp profiles is disallowed. The fields
|
||||||
spec.securityContext.seccompProfile.type,
|
spec.securityContext.seccompProfile.type,
|
||||||
|
|
|
@ -70,6 +70,7 @@ spec:
|
||||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
|
||||||
message: >-
|
message: >-
|
||||||
Only the following types of volumes may be used: configMap, csi, downwardAPI,
|
Only the following types of volumes may be used: configMap, csi, downwardAPI,
|
||||||
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
|
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
|
||||||
|
|
|
@ -55,6 +55,10 @@ validationFailureActionOverrides:
|
||||||
# namespaces:
|
# namespaces:
|
||||||
# - fluent
|
# - fluent
|
||||||
|
|
||||||
|
# -- Validate already existing resources.
|
||||||
|
# For more info https://kyverno.io/docs/writing-policies/validate.
|
||||||
|
validationAllowExistingViolations: true
|
||||||
|
|
||||||
# -- Exclude resources from individual policies.
|
# -- Exclude resources from individual policies.
|
||||||
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
|
# Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
|
||||||
policyExclude: {}
|
policyExclude: {}
|
||||||
|
|
Loading…
Add table
Reference in a new issue