Gatekeeper default policy blocking twistlock

6bf6f73b · Jennifer Kays · Micah Nagel · 66691422 · 6bf6f73b
Commit 6bf6f73b authored 3 years ago by Jennifer Kays Committed by Micah Nagel 3 years ago
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -34,7 +34,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - mattermost/init-check-database
      {{- end }}

-  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled }}
+  {{- if or .Values.monitoring.enabled (or .Values.fluentbit.enabled .Values.twistlock.enabled) }}
  allowedHostFilesystem:
    {{- if .Values.monitoring.enabled }}
    match:
@@ -42,14 +42,30 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        # Prometheus-node-exporter needs access to host to get node metrics
        - monitoring
    {{- end }}
-    {{- if .Values.fluentbit.enabled }}
+    {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled }}
    parameters:
      excludedResources:
+        {{- if .Values.fluentbit.enabled }}
        # Fluentbit pods need access to host to get log files
        - logging/logging-fluent-bit-.*
+        {{- end }}
+        {{- if .Values.twistlock.enabled }}
+        - twistlock/twistlock-defender-ds-.*
+        {{- end }}
    {{- end }}
  {{- end }}

+  {{- if .Values.twistlock.enabled }}
+  hostNetworking:
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+  noHostNamespace:
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+  {{- end }}
+
  {{- if .Values.addons.mattermost.enabled }}
  httpsOnly:
    match:
@@ -78,12 +94,19 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - istio-operator
        - istio-system

-  {{- if .Values.monitoring.enabled }}
+  {{- if or .Values.monitoring.enabled .Values.twistlock.enabled }}
  restrictedTaint:
+    {{- if .Values.monitoring.enabled }}
    match:
      excludedNamespaces:
        # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
        - monitoring
+    {{- end }}
+    {{- if .Values.twistlock.enabled }}
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+    {{- end }}
  {{- end }}

  {{- if .Values.logging.enabled }}