Gatekeeper - add fine-grained exclusion for resources

50617ffe · Michael McLeroy · e3bff204 · 50617ffe · 50617ffe · 50617ffe
Commit 50617ffe authored 3 years ago by Michael McLeroy
--- a/chart/dev-k3d-values.yaml
+++ b/chart/dev-k3d-values.yaml
@@ -7,5 +7,11 @@ gatekeeper:
    violations:
      allowedDockerRegistries:
        match:
-          excludedNamespaces: 
-            - istio-system 
\ No newline at end of file
+          excludedNamespaces:
+          # Allows load balancer images for k3d from public repo
+          - istio-system
+      hostNetworking:
+        match:
+          excludedNamespaces:
+          # Allows load balancer containers to map ports for k3d
+          - istio-system
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -260,7 +260,7 @@ clusterAuditor:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor.git
    path: "./chart"
-    tag: "0.3.0-bb.5"
+    tag: "0.3.0-bb.6"

  # -- Flux reconciliation overrides specifically for the Cluster Auditor Package
  flux: {}
@@ -281,7 +281,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.5.1-bb.13"
+    tag: "3.5.1-bb.15"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
  flux:

--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -88,8 +88,14 @@ gatekeeper:
    violations:
      allowedDockerRegistries:
        match:
-          excludedNamespaces: 
-            - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
+          excludedNamespaces:
+          # Allows load balancer images for k3d from public repo
+          - istio-system
+      hostNetworking:
+        match:
+          excludedNamespaces:
+          # Allows load balancer containers to map ports for k3d
+          - istio-system

 twistlock:
  enabled: true