UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Select Git revision
  • update-gitlab-runner-tag-0.73.0-bb.3
  • update-vault-tag-0.29.1-bb.10
  • update-nexus-tag-77.1.0-bb.0
  • gitlab-runner-dynamic-network-policy-214
  • bb-2524/observability-operatorless
  • update-fortify-tag-1.1.2320154-bb.23
  • 2613-Kyverno-Reporter-IstioCore
  • master default protected
  • update-fluentbit-tag-0.48.9-bb.0
  • 2548-resolve-errors-from-enabling-drift-detection-for-mattermost-not-operator-2
  • update-minio-operator-tag-7.0.1-bb.0
  • update-external-secrets-tag-0.15.0-bb.0
  • 2587-update-minimum-hardware-requirements-spreadsheet-to-include-vault
  • update-fluentbit-tag-0.48.6-bb.1
  • alloy-move-destinations
  • 2548-resolve-errors-from-enabling-drift-detection-for-mattermost-not-operator
  • Add_dynamic_network_policy
  • update-mattermost-tag-10.6.1-bb.1
  • 2608-promtail-warning
  • 190-integrate-bbctl-into-bb
  • 2.49.0 protected
  • 2.49.0-rc.2 protected
  • 2.49.0-rc.1 protected
  • 2.49.0-rc.0 protected
  • 2.48.0 protected
  • 2.48.0-rc.4 protected
  • 2.48.0-rc.3 protected
  • 2.48.0-rc.2 protected
  • 2.48.0-rc.1 protected
  • 2.47.0 protected
  • 2.47.0-rc.2 protected
  • 2.47.0-rc.1 protected
  • 2.47.0-rc.0 protected
  • 2.46.0 protected
  • 2.46.0-rc.0 protected
  • 2.45.1 protected
  • 2.45.1-rc.0 protected
  • 2.45.0 protected
  • 2.45.0-rc.0 protected
  • 2.44.0 protected
40 results
Blame Permalink
2
values.yaml 23.14 KiB 
{{- $pkg := "kyvernopolicies" }}

{{- if .Values.kyvernopolicies.enabled }}
{{- include "values-secret" (dict "root" $ "package" (dict "values" (fromYaml (include "bigbang.overlays.kyvernopolicies" .))) "name" "kyvernopolicies" "defaults" (include "bigbang.defaults.kyvernopolicies" .)) }}
{{- end }}

{{- define "bigbang.defaults.kyvernopolicies" -}}

{{- $deployRestic := (and .Values.addons.velero.enabled (dig "deployRestic" false .Values.addons.velero.values)) }}

waitforready:
  imagePullSecrets:
  - name: private-registry

policies:

  {{- if .Values.twistlock.enabled }}
  disallow-host-namespaces:
    exclude:
      any:
      {{- if .Values.twistlock.enabled }}
      # Twistlock, by default, does its own network monitoring. hostNetworking is enabled by default for this purpose
      # With hostNetworking enabled, Istio sidecar injection is disabled. If this function is disabled, Twistlock will
      # not be able to self monitor. If both Istio sidecar injection and TL monitoring are disabled, a security gap will
      # be created for network monitoring in Twistlock.  So, it is important to make sure at least one is enabled.
      - resources:
          namespaces:
          - twistlock
          names:
          - twistlock-defender-ds*
        {{- end }}
  {{- end }}

  disallow-image-tags:
    validationFailureAction: enforce

  disallow-istio-injection-bypass:
    enabled: {{ .Values.istio.enabled }}
    exclude:
      any:
      # Istio does not inject itself
      - resources:
          namespaces:
          - istio-system

  disallow-namespaces:
    validationFailureAction: enforce
    parameters:
      disallow:
      - bigbang
      - default

  {{- if .Values.fluentbit.enabled }}
  disallow-privileged-containers:
    exclude:
      any:
      {{- if .Values.fluentbit.enabled }}
      # NEEDS FURTHER JUSTIFICATION
      # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
      - resources:
          namespaces:
          - logging
          names:
          - logging-fluent-bit*
      {{- end }}
  {{- end }}

  {{- if .Values.addons.gitlab.enabled }}
  disallow-shared-subpath-volume-writes:
    # Subpath volumes can be used in combination with symlinks to break out into the host filesystem

UNCLASSIFIED - NO CUI