diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 653d3c97e2..4ebc8ccfe2 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -79,6 +79,8 @@ annotations: description: added TUF flags for custom sigstore deployments - kind: added description: allow setting admission controller replica count to 2 + - kind: added + description: allow excluding resourceFilters via config.resourceFiltersExclude dependencies: - name: grafana version: "0.0.0" diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 102a9b7c47..a671677c54 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -276,6 +276,7 @@ The chart values are organised per component. | config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). | | config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | +| config.resourceFiltersExclude | list | `[]` | resourceFilters exclude list Items to exclude from config.resourceFilters | ### Metrics config @@ -759,6 +760,8 @@ It contains an array of string templates that are passed through the `tpl` Helm Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. +Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`. + ## High availability Running a highly-available Kyverno installation is crucial in a production environment. diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 4c0692c4c1..9ba39bf4d2 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -386,6 +386,8 @@ It contains an array of string templates that are passed through the `tpl` Helm Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list. +Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`. + ## High availability Running a highly-available Kyverno installation is crucial in a production environment. diff --git a/charts/kyverno/ci/resourceFilters-values.yaml b/charts/kyverno/ci/resourceFilters-values.yaml new file mode 100644 index 0000000000..c5355f525b --- /dev/null +++ b/charts/kyverno/ci/resourceFilters-values.yaml @@ -0,0 +1,5 @@ +--- +config: + resourceFiltersExclude: + - '[Node,*,*]' + - '[Node/*,*,*]' diff --git a/charts/kyverno/templates/config/_helpers.tpl b/charts/kyverno/templates/config/_helpers.tpl index 64ec92c634..4b1d40d729 100644 --- a/charts/kyverno/templates/config/_helpers.tpl +++ b/charts/kyverno/templates/config/_helpers.tpl @@ -35,6 +35,9 @@ {{- if .Values.config.excludeKyvernoNamespace -}} {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}} {{- end -}} +{{- range $resourceExclude := .Values.config.resourceFiltersExclude -}} + {{- $resourceFilters = without $resourceFilters $resourceExclude -}} +{{- end -}} {{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}} {{- range $filter := $resourceFilters -}} {{- if (contains (printf ",%s," $exclude) $filter) -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index bfd0c8545a..9678978c69 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -230,6 +230,10 @@ config: # Namespaces to exclude from the default resourceFilters resourceFiltersExcludeNamespaces: [] + # -- resourceFilters exclude list + # Items to exclude from config.resourceFilters + resourceFiltersExclude: [] + # Metrics configuration metricsConfig: