updated justifications

chart/templates/gatekeeper/values.yaml

@@ -74,14 +74,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       {{- end }}
   {{- end }}
 
-  {{- if .Values.neuvector.enabled }}
-  bannedImageTags:
-    parameters:
-      excludedResources:
-        # Neuvector scanner pods must run the most up to date version in order to have up to date CVE lists
-        - neuvector/neuvector-scanner-pod.*
-  {{- end }}
-
   {{- if .Values.twistlock.enabled }}
   hostNetworking:
     parameters:

chart/templates/kyverno/policies/values.yaml

@@ -72,16 +72,6 @@ policies:
   disallow-image-tags:
     enabled: true
     validationFailureAction: enforce
-    {{- if .Values.neuvector.enabled }}
-    # Neuvector scanner pods must run the most up to date version in order to have up to date CVE lists
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          - neuvector
-          names:
-          - neuvector-scanner-pod*
-    {{- end }}
 
   disallow-istio-injection-bypass:
     enabled: {{ .Values.istio.enabled }}
@@ -493,9 +483,9 @@ policies:
       {{- if .Values.neuvector.enabled }}
       # Neuvector mounts the following hostPaths:
       # `/var/neuvector`: for Neuvector's buffering and persistent state
-      # `/var/run`: 
-      # `/proc`:
-      # `/sys/fs/cgroup`:
+      # `/var/run`: communication to docker daemon
+      # `/proc`: monitoring of proccesses for malicious activity
+      # `/sys/fs/cgroup`: important files the controller wants to monitor for malicious content
       - resources:
           namespaces:
           - neuvector