remove pod binding policy filters for schematic-to-pod policy to work
This commit is contained in:
parent
7a67c2ddbf
commit
7c8802e3bf
1 changed files with 112 additions and 0 deletions
|
@ -66,6 +66,7 @@ spec:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
- pods
|
- pods
|
||||||
|
- nodes
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
- update
|
- update
|
||||||
|
@ -78,3 +79,114 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/instance: kyverno
|
app.kubernetes.io/instance: kyverno
|
||||||
app.kubernetes.io/component: kyverno
|
app.kubernetes.io/component: kyverno
|
||||||
|
config:
|
||||||
|
# -- Resource types to be skipped by the Kyverno policy engine.
|
||||||
|
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
|
||||||
|
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
|
||||||
|
# @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
|
||||||
|
resourceFilters:
|
||||||
|
- '[Event,*,*]'
|
||||||
|
- '[*/*,kube-system,*]'
|
||||||
|
- '[*/*,kube-public,*]'
|
||||||
|
- '[*/*,kube-node-lease,*]'
|
||||||
|
- '[Node,*,*]'
|
||||||
|
- '[Node/*,*,*]'
|
||||||
|
- '[APIService,*,*]'
|
||||||
|
- '[APIService/*,*,*]'
|
||||||
|
- '[TokenReview,*,*]'
|
||||||
|
- '[SubjectAccessReview,*,*]'
|
||||||
|
- '[SelfSubjectAccessReview,*,*]'
|
||||||
|
# remove the following to allow for schematic-to-pod.yaml to work
|
||||||
|
# - '[Binding,*,*]'
|
||||||
|
# - '[Pod/binding,*,*]'
|
||||||
|
- '[ReplicaSet,*,*]'
|
||||||
|
- '[ReplicaSet/*,*,*]'
|
||||||
|
- '[EphemeralReport,*,*]'
|
||||||
|
- '[ClusterEphemeralReport,*,*]'
|
||||||
|
# exclude resources from the chart
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
|
||||||
|
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
|
||||||
|
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||||
|
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||||
|
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||||
|
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||||
|
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||||
|
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||||
|
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||||
|
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||||
|
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||||
|
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||||
|
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||||
|
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||||
|
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
|
||||||
|
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
|
||||||
|
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||||
|
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||||
|
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||||
|
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||||
|
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||||
|
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||||
|
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||||
|
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||||
|
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||||
|
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||||
|
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||||
|
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||||
|
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||||
|
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||||
|
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
|
||||||
|
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||||
|
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||||
|
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||||
|
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||||
|
|
Loading…
Reference in a new issue