Merge branch 'enforce-no-root-user' into 'master'

set require-non-root-user to enforce Closes #1277 See merge request !3453

Merge branch 'enforce-no-root-user' into 'master'
6ccf7a66 · Ryan Garcia · e2657de4 · f3b635b1 · 6ccf7a66 · 6ccf7a66
Commit 6ccf7a66 authored 1 year ago by Ryan Garcia
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -309,15 +309,34 @@ policies:
    {{- end }}
  require-non-root-user:
-    validationFailureAction: audit
+    validationFailureAction: Enforce
    {{ if .Values.istio.enabled }}
    parameters:
      excludeContainers:
        - istio-init
    {{- end }}
-    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
    exclude:
      any:
+      - resources:
+          namespaces:
+          - kube-system
+    {{- if or $deployNodeAgent .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.kiali.enabled .Values.neuvector.enabled}}
+      {{- if .Values.kiali.enabled }}
+      # Kiali needs exception for operator to deploy Kiali server
+      - resources:
+          namespaces:
+          - kiali
+          names:
+          - kiali-*
+      {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs privileged access for realtime scanning of files from the node / access to the container runtime
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector*
+      {{- end }}
      {{- if $deployNodeAgent }}
      # Velero.  The node agent backup tool requires root user access to the host's runtime pod directory which is
      # mounted inside velero/node agent pods.

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -621,6 +621,21 @@ kyvernoPolicies:
              - gitlab
              names:
              - gitlab-minio-*
+          - resources:
+              namespaces:
+              - metallb-system
+              names:
+              - speaker-*
+          - resources:
+              namespaces:
+              - argocd
+              names:
+              - guestbook*    
+          - resources:
+              namespaces:
+              - velero
+              names:
+              - velero-backup-restore-test*  
      disallow-namespaces:
        parameters:
          disallow: