Allow excluding resources from config.resourceFilters (#8946)

Fixes #8860 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
2025-03-29 10:55:05 +00:00 · 2023-11-21 09:41:16 -05:00 · 2023-11-21 09:41:16 -05:00 · fcade6c88a
commit fcade6c88a
parent 8a5d1ff162
6 changed files with 19 additions and 0 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -79,6 +79,8 @@ annotations:
      description: added TUF flags for custom sigstore deployments
    - kind: added
      description: allow setting admission controller replica count to 2
+    - kind: added
+      description: allow excluding resourceFilters via config.resourceFiltersExclude
 dependencies:
  - name: grafana
    version: "0.0.0"
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -276,6 +276,7 @@ The chart values are organised per component.
 | config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |
 | config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
 | config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
+| config.resourceFiltersExclude | list | `[]` | resourceFilters exclude list Items to exclude from config.resourceFilters |

 ### Metrics config

@ -759,6 +760,8 @@ It contains an array of string templates that are passed through the `tpl` Helm

 Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.

+Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`.
+
 ## High availability

 Running a highly-available Kyverno installation is crucial in a production environment.
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@ -386,6 +386,8 @@ It contains an array of string templates that are passed through the `tpl` Helm

 Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.

+Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`.
+
 ## High availability

 Running a highly-available Kyverno installation is crucial in a production environment.
--- a/charts/kyverno/ci/resourceFilters-values.yaml
+++ b/charts/kyverno/ci/resourceFilters-values.yaml
@ -0,0 +1,5 @@
+---
+config:
+  resourceFiltersExclude:
+    - '[Node,*,*]'
+    - '[Node/*,*,*]'
--- a/charts/kyverno/templates/config/_helpers.tpl
+++ b/charts/kyverno/templates/config/_helpers.tpl
@ -35,6 +35,9 @@
 {{- if .Values.config.excludeKyvernoNamespace -}}
  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}}
 {{- end -}}
+{{- range $resourceExclude := .Values.config.resourceFiltersExclude -}}
+  {{- $resourceFilters = without $resourceFilters $resourceExclude -}}
+{{- end -}}
 {{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}}
  {{- range $filter := $resourceFilters -}}
    {{- if (contains (printf ",%s," $exclude) $filter) -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -230,6 +230,10 @@ config:
  # Namespaces to exclude from the default resourceFilters
  resourceFiltersExcludeNamespaces: []

+  # -- resourceFilters exclude list
+  # Items to exclude from config.resourceFilters
+  resourceFiltersExclude: []
+
 # Metrics configuration
 metricsConfig: