diff --git a/chart/templates/kyverno/policies/values.yaml b/chart/templates/kyverno/policies/values.yaml
index 72f8193a3cff5b6d08278b12cc5590761a09c92a..7e033a2912ac24b437275c6347f67e3656b068a8 100644
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -182,7 +182,7 @@ policies:
require-non-root-group:
validationFailureAction: audit
- {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+ {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
exclude:
any:
{{- if $deployRestic }}
@@ -215,11 +215,22 @@ policies:
names:
- logging-fluent-bit*
{{- end }}
+ {{- if .Values.promtail.enabled }}
+ # promtail requires access to journalctl as well as /var/log. This would require modifications
+ # to the host operating system, creating a user, adding that user to the systemd-journal user group
+ # and then granting permissions recursively on /var/log.
+ # promtail requires access to /run/promtail for its buffering and persistent state.
+ - resources:
+ namespaces:
+ - logging
+ names:
+ - logging-promtail*
+ {{- end }}
{{- end }}
require-non-root-user:
validationFailureAction: audit
- {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+ {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
exclude:
any:
{{- if $deployRestic }}
@@ -252,6 +263,17 @@ policies:
names:
- logging-fluent-bit*
{{- end }}
+ {{- if .Values.promtail.enabled }}
+ # promtail requires access to journalctl as well as /var/log. This would require modifications
+ # to the host operating system, creating a user, adding that user to the systemd-journal user group
+ # and then granting permissions recursively on /var/log.
+ # promtail requires access to /run/promtail for its buffering and persistent state.
+ - resources:
+ namespaces:
+ - logging
+ names:
+ - logging-promtail*
+ {{- end }}
{{- end }}
{{- if .Values.twistlock.enabled }}