Merge branch 'require-drop-all-capabilities' into 'master'

set policy to enforce See merge request !4154

Merge branch 'require-drop-all-capabilities' into 'master'
0743ba66 · Michael Martin · 187c35f3 · eab64368 · 0743ba66 · 0743ba66
Commit 0743ba66 authored 10 months ago by Michael Martin
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -176,10 +176,10 @@ policies:
  {{- end }}

  require-drop-all-capabilities:
-    validationFailureAction: audit
-    {{- if .Values.neuvector.enabled }}
+    validationFailureAction: Enforce
    exclude:
      any:
+      {{- if .Values.neuvector.enabled }}
      # Neuvector needs access to host to inspect network traffic
      - resources:
          namespaces:
@@ -188,7 +188,42 @@ policies:
          - neuvector-enforcer-pod*
          - neuvector-controller-pod*
          - neuvector-prometheus-exporter-pod*
-    {{- end }}
+      {{- end }}
+      {{- if .Values.addons.keycloak.enabled }}
+      - resources:
+          namespaces:
+          - keycloak
+          names:
+          - keycloak-0
+      {{- end }}
+      {{- if .Values.addons.holocron.enabled }}
+      - resources:
+          namespaces:
+          - holocron
+          names:
+          - holocron-postgresql-0
+      {{- end }}
+      {{- if .Values.addons.velero.enabled }}
+      - resources:
+          namespaces:
+          - velero
+          names:
+          - velero-backup-restore-test*
+      {{- end }}
+      {{- if .Values.addons.gitlabRunner.enabled }}
+      - resources:
+          namespaces:
+          - gitlab-runner
+          names:
+          - runner-*
+      {{- end }}
+      {{- if .Values.addons.gitlab.enabled }}
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - webservice-test-runner-*
+      {{- end }}

  # Kyverno Beta feature - https://kyverno.io/docs/writing-policies/verify-images/
  require-image-signature:

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -752,6 +752,11 @@ kyvernoPolicies:
              - neuvector-enforcer-pod*
              - neuvector-controller-pod*
              - neuvector-prometheus-exporter-pod*
+          - resources:
+              namespaces:
+              - argocd
+              names:
+              - guestbook-ui-*
      require-non-root-group:
        exclude:
          any: