mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
fix: drop hardcoded default exclusions (#6789)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
ab8639b643
commit
efde33c816
6 changed files with 19 additions and 12 deletions
|
|
@ -10,6 +10,7 @@
|
|||
- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza.
|
||||
- Added `excludeRoles` and `excludeClusterRoles` support in configuration.
|
||||
- Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`)
|
||||
- Removed hardcoded defaults for `excludeGroups` and `excludeUsernames`. They are always read from the config map.
|
||||
|
||||
## v1.9.0-rc.1
|
||||
|
||||
|
|
|
|||
|
|
@ -177,6 +177,8 @@ In `v3` chart values changed significantly, please read the instructions below t
|
|||
- `config.excludeUsername` was renamed to `config.excludeUsernames`
|
||||
- `config.excludeGroupRole` was renamed to `config.excludeGroups`
|
||||
|
||||
Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `kyverno` deployment:
|
||||
|
|
@ -202,8 +204,10 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
|
||||
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
|
||||
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
|
||||
| config.excludeGroups | list | `[]` | Exclude groups |
|
||||
| config.excludeGroups | list | `["system:serviceaccounts:kube-system","system:nodes"]` | Exclude groups |
|
||||
| config.excludeUsernames | list | `[]` | Exclude usernames |
|
||||
| config.excludeRoles | list | `[]` | Exclude roles |
|
||||
| config.excludeClusterRoles | list | `[]` | Exclude roles |
|
||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||
| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||
|
|
|
|||
|
|
@ -177,6 +177,8 @@ In `v3` chart values changed significantly, please read the instructions below t
|
|||
- `config.excludeUsername` was renamed to `config.excludeUsernames`
|
||||
- `config.excludeGroupRole` was renamed to `config.excludeGroups`
|
||||
|
||||
Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `kyverno` deployment:
|
||||
|
|
|
|||
|
|
@ -50,10 +50,19 @@ config:
|
|||
defaultRegistry: docker.io
|
||||
|
||||
# -- Exclude groups
|
||||
excludeGroups: []
|
||||
excludeGroups:
|
||||
- system:serviceaccounts:kube-system
|
||||
- system:nodes
|
||||
|
||||
# -- Exclude usernames
|
||||
excludeUsernames: []
|
||||
# - system:kube-scheduler
|
||||
|
||||
# -- Exclude roles
|
||||
excludeRoles: []
|
||||
|
||||
# -- Exclude roles
|
||||
excludeClusterRoles: []
|
||||
|
||||
# -- Generate success events.
|
||||
generateSuccessEvents: false
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ data:
|
|||
enableDefaultRegistryMutation: "true"
|
||||
defaultRegistry: "docker.io"
|
||||
generateSuccessEvents: "false"
|
||||
excludeGroups: "system:serviceaccounts:kube-system,system:nodes"
|
||||
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:admission-controller][ClusterRole,*,kyverno:admission-controller:core][ClusterRole,*,kyverno:admission-controller:additional][ClusterRole,*,kyverno:background-controller][ClusterRole,*,kyverno:background-controller:core][ClusterRole,*,kyverno:background-controller:additional][ClusterRole,*,kyverno:cleanup-controller][ClusterRole,*,kyverno:cleanup-controller:core][ClusterRole,*,kyverno:cleanup-controller:additional][ClusterRole,*,kyverno:reports-controller][ClusterRole,*,kyverno:reports-controller:core][ClusterRole,*,kyverno:reports-controller:additional][ClusterRoleBinding,*,kyverno:admission-controller][ClusterRoleBinding,*,kyverno:background-controller][ClusterRoleBinding,*,kyverno:cleanup-controller][ClusterRoleBinding,*,kyverno:reports-controller][ServiceAccount,kyverno,kyverno-admission-controller][ServiceAccount,kyverno,kyverno-background-controller][ServiceAccount,kyverno,kyverno-cleanup-controller][ServiceAccount,kyverno,kyverno-reports-controller][Role,kyverno,kyverno:admission-controller][Role,kyverno,kyverno:background-controller][Role,kyverno,kyverno:cleanup-controller][Role,kyverno,kyverno:reports-controller][RoleBinding,kyverno,kyverno:admission-controller][RoleBinding,kyverno,kyverno:background-controller][RoleBinding,kyverno,kyverno:cleanup-controller][RoleBinding,kyverno,kyverno:reports-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno-admission-controller][Deployment,kyverno,kyverno-background-controller][Deployment,kyverno,kyverno-cleanup-controller][Deployment,kyverno,kyverno-reports-controller][Pod,kyverno,kyverno-admission-controller-*][Pod,kyverno,kyverno-background-controller-*][Pod,kyverno,kyverno-cleanup-controller-*][Pod,kyverno,kyverno-reports-controller-*][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno-admission-controller][NetworkPolicy,kyverno,kyverno-background-controller][NetworkPolicy,kyverno,kyverno-cleanup-controller][NetworkPolicy,kyverno,kyverno-reports-controller][PodDisruptionBudget,kyverno,kyverno-admission-controller][PodDisruptionBudget,kyverno,kyverno-background-controller][PodDisruptionBudget,kyverno,kyverno-cleanup-controller][PodDisruptionBudget,kyverno,kyverno-reports-controller][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][Service,kyverno,kyverno-background-controller-metrics][Service,kyverno,kyverno-cleanup-controller][Service,kyverno,kyverno-cleanup-controller-metrics][Service,kyverno,kyverno-reports-controller-metrics][ServiceMonitor,kyverno,kyverno-admission-controller][ServiceMonitor,kyverno,kyverno-background-controller][ServiceMonitor,kyverno,kyverno-cleanup-controller][ServiceMonitor,kyverno,kyverno-reports-controller][Secret,kyverno,kyverno-svc.kyverno.svc.*][Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]"
|
||||
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
|
||||
---
|
||||
|
|
|
|||
|
|
@ -95,10 +95,6 @@ var (
|
|||
kyvernoPodName = osutils.GetEnvWithFallback("KYVERNO_POD_NAME", "kyverno")
|
||||
// kyvernoConfigMapName is the Kyverno configmap name
|
||||
kyvernoConfigMapName = osutils.GetEnvWithFallback("INIT_CONFIG", "kyverno")
|
||||
// defaultExcludedUsernames are the usernames excluded by default when matching an incoming admission request
|
||||
defaultExcludedUsernames []string
|
||||
// defaultExcludedGroups are the groups excluded by default when matching an incoming admission request
|
||||
defaultExcludedGroups []string = []string{"system:serviceaccounts:kube-system", "system:nodes"}
|
||||
// kyvernoDryRunNamespace is the namespace for DryRun option of YAML verification
|
||||
kyvernoDryrunNamespace = osutils.GetEnvWithFallback("KYVERNO_DRYRUN_NAMESPACE", "kyverno-dryrun")
|
||||
)
|
||||
|
|
@ -179,8 +175,6 @@ func NewDefaultConfiguration(skipResourceFilters bool) *configuration {
|
|||
skipResourceFilters: skipResourceFilters,
|
||||
defaultRegistry: "docker.io",
|
||||
enableDefaultRegistryMutation: true,
|
||||
excludedGroups: defaultExcludedGroups,
|
||||
excludedUsernames: defaultExcludedUsernames,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -293,8 +287,6 @@ func (cd *configuration) load(cm *corev1.ConfigMap) {
|
|||
cd.excludedClusterRoles = []string{}
|
||||
cd.generateSuccessEvents = false
|
||||
cd.webhooks = nil
|
||||
cd.excludedGroups = append(cd.excludedGroups, defaultExcludedGroups...)
|
||||
cd.excludedUsernames = append(cd.excludedUsernames, defaultExcludedUsernames...)
|
||||
// load filters
|
||||
cd.filters = parseKinds(cm.Data["resourceFilters"])
|
||||
newDefaultRegistry, ok := cm.Data["defaultRegistry"]
|
||||
|
|
@ -392,6 +384,4 @@ func (cd *configuration) unload() {
|
|||
cd.generateSuccessEvents = false
|
||||
cd.webhooks = nil
|
||||
cd.webhookAnnotations = nil
|
||||
cd.excludedGroups = append(cd.excludedGroups, defaultExcludedGroups...)
|
||||
cd.excludedUsernames = append(cd.excludedUsernames, defaultExcludedUsernames...)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue