UNCLASSIFIED - NO CUI

Skip to content

Kubevirt gatekeeper docs

We had to update several gatekeeper configs to get kubevirt and kubevirt-cdi working. We may need to track these down to get the exact reasoning and document or automate out if possible. Here are just some of the changes that got us to a point to where we could deploy VMs using CDI without gatekeeper issues. 'kubevirt-system' is the namespace we are using and is reflected in example bb config changes below.

gatekeeper:

  values:
    violations:
      allowedHostFilesystem:
        parameters:
          excludedResources:
            - kubevirt-system/virt-.*
      noHostNamespace:
        match:
          excludedNamespaces:
            - kubevirt-system
      noPrivilegedContainers:
        match:
          excludedNamespaces:
            - kubevirt-system
      volumeTypes:
        parameters:
          excludedResources:
            - kubevirt-system/virt-.*
      selinuxPolicy:
        parameters:
          excludedResources:
            - kubevirt-system/virt-.*
            - .*/volumecontainerdisk.*
            - .*/virt-launcher.*
            - .*/hook-sidecar.*
...

UNCLASSIFIED - NO CUI