Update Kyverno policies-values.yaml to enhance namespace exclusions for policy enforcement. Add detailed comments on the exclusion strategy and provide instructions for refreshing PolicyReports. This change aims to improve clarity and management of policy violations across various namespaces.
This commit is contained in:
Nikholas Pcenicni
@@ -4,8 +4,18 @@
|
||||
# --version 3.7.1 -f clusters/noble/apps/kyverno/policies-values.yaml --wait --timeout 10m
|
||||
#
|
||||
# Default profile is baseline; validationFailureAction is Audit so existing privileged
|
||||
# workloads (monitoring, longhorn, etc.) are reported, not blocked. Tighten per policy or
|
||||
# namespace when ready (see README).
|
||||
# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
|
||||
# surfaces those as “policy violations”. Exclude namespaces that intentionally run
|
||||
# outside baseline (see namespace PSA labels under clusters/noble/apps/*/namespace.yaml)
|
||||
# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
|
||||
#
|
||||
# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
|
||||
# kubectl delete clusterpolicyreport --all
|
||||
# kubectl delete policyreport -A --all
|
||||
# (Reports are recreated on the next background scan.)
|
||||
#
|
||||
# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
|
||||
# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
|
||||
#
|
||||
policyKind: ClusterPolicy
|
||||
policyType: ClusterPolicy
|
||||
@@ -14,3 +24,39 @@ podSecuritySeverity: medium
|
||||
validationFailureAction: Audit
|
||||
failurePolicy: Fail
|
||||
validationAllowExistingViolations: true
|
||||
|
||||
# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/apps).
|
||||
x-kyverno-exclude-infra: &kyverno_exclude_infra
|
||||
any:
|
||||
- resources:
|
||||
namespaces:
|
||||
- kube-system
|
||||
- kube-public
|
||||
- kube-node-lease
|
||||
- argocd
|
||||
- cert-manager
|
||||
- external-secrets
|
||||
- headlamp
|
||||
- kyverno
|
||||
- logging
|
||||
- loki
|
||||
- longhorn-system
|
||||
- metallb-system
|
||||
- monitoring
|
||||
- newt
|
||||
- sealed-secrets
|
||||
- traefik
|
||||
- vault
|
||||
|
||||
policyExclude:
|
||||
disallow-capabilities: *kyverno_exclude_infra
|
||||
disallow-host-namespaces: *kyverno_exclude_infra
|
||||
disallow-host-path: *kyverno_exclude_infra
|
||||
disallow-host-ports: *kyverno_exclude_infra
|
||||
disallow-host-process: *kyverno_exclude_infra
|
||||
disallow-privileged-containers: *kyverno_exclude_infra
|
||||
disallow-proc-mount: *kyverno_exclude_infra
|
||||
disallow-selinux: *kyverno_exclude_infra
|
||||
restrict-apparmor-profiles: *kyverno_exclude_infra
|
||||
restrict-seccomp: *kyverno_exclude_infra
|
||||
restrict-sysctls: *kyverno_exclude_infra
|
||||
|
||||
Reference in New Issue
Block a user