SKIP UPGRADE Kyverno policy keycloak exception

b5be4ce0 · kevin.wilder · Micah Nagel · d4433205 · b5be4ce0
Commit b5be4ce0 authored 2 years ago by kevin.wilder Committed by Micah Nagel 2 years ago
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -121,7 +121,7 @@ policies:
      {{- end }}
  {{- end }}

-{{- if or (.Values.addons.gitlab.enabled) (and (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) (.Release.IsUpgrade)) }}
+{{- if or (.Values.addons.gitlab.enabled) (and (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) (.Release.IsUpgrade)) .Values.addons.keycloak.enabled }}
  disallow-shared-subpath-volume-writes:
    # Subpath volumes can be used in combination with symlinks to break out into the host filesystem
    exclude:
@@ -134,6 +134,9 @@ policies:
          {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
          - twistlock
          {{- end }}
+          {{- if .Values.addons.keycloak.enabled }}
+          - keycloak
+          {{- end }}
          names:
          {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
          - volume-upgrade-job*
@@ -190,6 +193,10 @@ policies:
          # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
          - gitlab-gitaly*
          {{- end }}
+          {{- if .Values.addons.keycloak.enabled }}
+          # Volumes using emptyDir shared with initContainers to inject custom provider plugins or custom themes
+          - keycloak-*
+          {{- end }}
  {{- end }}

  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}