Merge branch 'istio-ingress-exception' into 'master'

add exclusion for istio ingress services

Closes #1185

See merge request platform-one/big-bang/bigbang!1732

chart/templates/kyverno/policies/values.yaml

@@ -31,6 +31,35 @@ policies:
         {{- end }}
   {{- end }}
 
+  {{- $nodePortIngressGateways := list }}
+  {{- range $name, $values := .Values.istio.ingressGateways }}
+  {{- if eq $values.type "NodePort" }}
+  {{- $nodePortIngressGateways = append $nodePortIngressGateways $name }}
+  {{- end }}
+  {{- end }}
+
+  {{- range $name, $values := .Values.istio.values.ingressGateways }}
+  {{- if eq (dig "k8s" "service" "type" "LoadBalancer" $values) "NodePort" }}
+  {{- $nodePortIngressGateways = append $nodePortIngressGateways $name }}
+  {{- end }}
+  {{- end }}
+
+  {{- if $nodePortIngressGateways }}
+  # Istio services (istio ingress) can create type: NodePort services
+  disallow-nodeport-services:
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Service
+          names:
+          {{- range $name := $nodePortIngressGateways }}
+          - {{ $name }}
+          {{- end }}
+          namespaces:
+          - "istio-system"
+  {{- end }}
+
   disallow-image-tags:
     validationFailureAction: enforce