diff --git a/CHANGELOG.md b/CHANGELOG.md index d00bf87273..b612a35232 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza. - Added `excludeRoles` and `excludeClusterRoles` support in configuration. - Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`) +- Removed hardcoded defaults for `excludeGroups` and `excludeUsernames`. They are always read from the config map. ## v1.9.0-rc.1 diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 81805768d4..82fe87d717 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -177,6 +177,8 @@ In `v3` chart values changed significantly, please read the instructions below t - `config.excludeUsername` was renamed to `config.excludeUsernames` - `config.excludeGroupRole` was renamed to `config.excludeGroups` +Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions. + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: @@ -202,8 +204,10 @@ The command removes all the Kubernetes components associated with the chart and | config.annotations | object | `{}` | Additional annotations to add to the configmap. | | config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. | | config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. | -| config.excludeGroups | list | `[]` | Exclude groups | +| config.excludeGroups | list | `["system:serviceaccounts:kube-system","system:nodes"]` | Exclude groups | | config.excludeUsernames | list | `[]` | Exclude usernames | +| config.excludeRoles | list | `[]` | Exclude roles | +| config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | | config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 9d76c177f1..733abf11ac 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -177,6 +177,8 @@ In `v3` chart values changed significantly, please read the instructions below t - `config.excludeUsername` was renamed to `config.excludeUsernames` - `config.excludeGroupRole` was renamed to `config.excludeGroups` +Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions. + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index cf353de9cd..7ed206c76b 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -50,10 +50,19 @@ config: defaultRegistry: docker.io # -- Exclude groups - excludeGroups: [] + excludeGroups: + - system:serviceaccounts:kube-system + - system:nodes # -- Exclude usernames excludeUsernames: [] + # - system:kube-scheduler + + # -- Exclude roles + excludeRoles: [] + + # -- Exclude roles + excludeClusterRoles: [] # -- Generate success events. generateSuccessEvents: false diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 620c92a4c0..10db70bbb8 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -66,6 +66,7 @@ data: enableDefaultRegistryMutation: "true" defaultRegistry: "docker.io" generateSuccessEvents: "false" + excludeGroups: "system:serviceaccounts:kube-system,system:nodes" resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:admission-controller][ClusterRole,*,kyverno:admission-controller:core][ClusterRole,*,kyverno:admission-controller:additional][ClusterRole,*,kyverno:background-controller][ClusterRole,*,kyverno:background-controller:core][ClusterRole,*,kyverno:background-controller:additional][ClusterRole,*,kyverno:cleanup-controller][ClusterRole,*,kyverno:cleanup-controller:core][ClusterRole,*,kyverno:cleanup-controller:additional][ClusterRole,*,kyverno:reports-controller][ClusterRole,*,kyverno:reports-controller:core][ClusterRole,*,kyverno:reports-controller:additional][ClusterRoleBinding,*,kyverno:admission-controller][ClusterRoleBinding,*,kyverno:background-controller][ClusterRoleBinding,*,kyverno:cleanup-controller][ClusterRoleBinding,*,kyverno:reports-controller][ServiceAccount,kyverno,kyverno-admission-controller][ServiceAccount,kyverno,kyverno-background-controller][ServiceAccount,kyverno,kyverno-cleanup-controller][ServiceAccount,kyverno,kyverno-reports-controller][Role,kyverno,kyverno:admission-controller][Role,kyverno,kyverno:background-controller][Role,kyverno,kyverno:cleanup-controller][Role,kyverno,kyverno:reports-controller][RoleBinding,kyverno,kyverno:admission-controller][RoleBinding,kyverno,kyverno:background-controller][RoleBinding,kyverno,kyverno:cleanup-controller][RoleBinding,kyverno,kyverno:reports-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno-admission-controller][Deployment,kyverno,kyverno-background-controller][Deployment,kyverno,kyverno-cleanup-controller][Deployment,kyverno,kyverno-reports-controller][Pod,kyverno,kyverno-admission-controller-*][Pod,kyverno,kyverno-background-controller-*][Pod,kyverno,kyverno-cleanup-controller-*][Pod,kyverno,kyverno-reports-controller-*][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno-admission-controller][NetworkPolicy,kyverno,kyverno-background-controller][NetworkPolicy,kyverno,kyverno-cleanup-controller][NetworkPolicy,kyverno,kyverno-reports-controller][PodDisruptionBudget,kyverno,kyverno-admission-controller][PodDisruptionBudget,kyverno,kyverno-background-controller][PodDisruptionBudget,kyverno,kyverno-cleanup-controller][PodDisruptionBudget,kyverno,kyverno-reports-controller][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][Service,kyverno,kyverno-background-controller-metrics][Service,kyverno,kyverno-cleanup-controller][Service,kyverno,kyverno-cleanup-controller-metrics][Service,kyverno,kyverno-reports-controller-metrics][ServiceMonitor,kyverno,kyverno-admission-controller][ServiceMonitor,kyverno,kyverno-background-controller][ServiceMonitor,kyverno,kyverno-cleanup-controller][ServiceMonitor,kyverno,kyverno-reports-controller][Secret,kyverno,kyverno-svc.kyverno.svc.*][Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]" webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' --- diff --git a/pkg/config/config.go b/pkg/config/config.go index 2294ea9957..11620a589c 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -95,10 +95,6 @@ var ( kyvernoPodName = osutils.GetEnvWithFallback("KYVERNO_POD_NAME", "kyverno") // kyvernoConfigMapName is the Kyverno configmap name kyvernoConfigMapName = osutils.GetEnvWithFallback("INIT_CONFIG", "kyverno") - // defaultExcludedUsernames are the usernames excluded by default when matching an incoming admission request - defaultExcludedUsernames []string - // defaultExcludedGroups are the groups excluded by default when matching an incoming admission request - defaultExcludedGroups []string = []string{"system:serviceaccounts:kube-system", "system:nodes"} // kyvernoDryRunNamespace is the namespace for DryRun option of YAML verification kyvernoDryrunNamespace = osutils.GetEnvWithFallback("KYVERNO_DRYRUN_NAMESPACE", "kyverno-dryrun") ) @@ -179,8 +175,6 @@ func NewDefaultConfiguration(skipResourceFilters bool) *configuration { skipResourceFilters: skipResourceFilters, defaultRegistry: "docker.io", enableDefaultRegistryMutation: true, - excludedGroups: defaultExcludedGroups, - excludedUsernames: defaultExcludedUsernames, } } @@ -293,8 +287,6 @@ func (cd *configuration) load(cm *corev1.ConfigMap) { cd.excludedClusterRoles = []string{} cd.generateSuccessEvents = false cd.webhooks = nil - cd.excludedGroups = append(cd.excludedGroups, defaultExcludedGroups...) - cd.excludedUsernames = append(cd.excludedUsernames, defaultExcludedUsernames...) // load filters cd.filters = parseKinds(cm.Data["resourceFilters"]) newDefaultRegistry, ok := cm.Data["defaultRegistry"] @@ -392,6 +384,4 @@ func (cd *configuration) unload() { cd.generateSuccessEvents = false cd.webhooks = nil cd.webhookAnnotations = nil - cd.excludedGroups = append(cd.excludedGroups, defaultExcludedGroups...) - cd.excludedUsernames = append(cd.excludedUsernames, defaultExcludedUsernames...) }