Merge branch '8-kubevirt-gatekeeper-docs' into 'main'

Adding documentation for required gatekeeper settings. Closes #8 See merge request platform-one/big-bang/apps/third-party/kubevirt!34

Merge branch '8-kubevirt-gatekeeper-docs' into 'main'
212440c6 · andrew.greene · 46358c1b · 735c51ed · 212440c6
Commit 212440c6 authored 2 years ago by andrew.greene
--- a/docs/gatekeeper_exceptions.md
+++ b/docs/gatekeeper_exceptions.md
+# Required Gatekeeper Settings for KubeVirt
+
+Big Bang sets some default OPA gatekeeper policy that causes issues with kubevirt when gatekeeper is enabled.  The following minimum Big Bang settings are required to be able to start the kubevirt cluster pods and to spin up a VM.  I'm just displaying the violation changes needed below for clarity.
+
+```
+gatekeeper:
+  values:
+    violations:
+      allowedHostFilesystem:
+        parameters:
+          excludedResources: 
+            - kubevirt/virt-handler.*
+      noHostNamespace:
+        parameters:
+          excludedResources:
+            - kubevirt/virt-handler.*
+      noPrivilegedContainers:
+        parameters:
+          excludedResources:
+            - kubevirt/virt-handler.*
+            - kubevirt/virt-launcher.*
+      volumeTypes:
+        parameters:
+          excludedResources:
+            - kubevirt/virt-handler.*
+      selinuxPolicy:
+        parameters:
+          excludedResources:
+            -  kubevirt/virt-handler.*
+            - .*/virt-launcher.*
+            - .*/volumecontainerdisk.*
+```
+
+
+Reasoning for the excludes:
+
+* virt-handler requires hostPath access to /var/lib/kubelet/pods, /var/lib/kubevirt, /var/run/kubevirt, /var/run/kubevirt-libvirt-runtimes and /var/run/kubevirt-private, /var/lib/kubelet/device-plugins. The gatekeeper allowed-host-filesystem constraint is blocking it.
+* virt-handler requires the hostPath volume type.  The gatekeeper volume-types constraint is blocking it. 
+* virt-handler needs to share host namespaces(PIP, IPC, Network or HostPorts). The gatekeeper no-host-namespace constraint is blocking it.
+* virt-handler and virt-launcher require running privileged containers.  The gatekeeper no-privileged-containers constraint is blocking them.
+* virt-handler, virt-launcher and virt-launcher's volumecontainerdisk containers are setting selinux options. The gatekeeper selinux-policy constraint is blocking them.