UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit c2555e5d authored by Ryan Garcia's avatar Ryan Garcia :dizzy:
Browse files

Merge branch '3-promtail-as-root-user' into 'master'

modify non-root-user and non-root-group kyverno policies to include exception for promtail

Closes platform-one/big-bang/apps/sandbox/promtail#3 and #3

See merge request platform-one/big-bang/bigbang!1691
parents 51b2c91b eadd1043
No related branches found
No related tags found
1 merge request!1691modify non-root-user and non-root-group kyverno policies to include exception for promtail
Pipeline #816902 passed with warnings
......@@ -182,7 +182,7 @@ policies:
require-non-root-group:
validationFailureAction: audit
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
exclude:
any:
{{- if $deployRestic }}
......@@ -215,11 +215,22 @@ policies:
names:
- logging-fluent-bit*
{{- end }}
{{- if .Values.promtail.enabled }}
# promtail requires access to journalctl as well as /var/log. This would require modifications
# to the host operating system, creating a user, adding that user to the systemd-journal user group
# and then granting permissions recursively on /var/log.
# promtail requires access to /run/promtail for its buffering and persistent state.
- resources:
namespaces:
- logging
names:
- logging-promtail*
{{- end }}
{{- end }}
require-non-root-user:
validationFailureAction: audit
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
{{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
exclude:
any:
{{- if $deployRestic }}
......@@ -252,6 +263,17 @@ policies:
names:
- logging-fluent-bit*
{{- end }}
{{- if .Values.promtail.enabled }}
# promtail requires access to journalctl as well as /var/log. This would require modifications
# to the host operating system, creating a user, adding that user to the systemd-journal user group
# and then granting permissions recursively on /var/log.
# promtail requires access to /run/promtail for its buffering and persistent state.
- resources:
namespaces:
- logging
names:
- logging-promtail*
{{- end }}
{{- end }}
{{- if .Values.twistlock.enabled }}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment