Merge branch 'exclude-kube-system-from-gatekeeper' into 'master'

Use OPA Gatekeeper with kube-system namespace exception Closes platform-one/big-bang/apps/core/policy#107, platform-one/big-bang/apps/core/policy#82, and platform-one/big-bang/apps/core/policy#66 See merge request platform-one/big-bang/bigbang!730

Merge branch 'exclude-kube-system-from-gatekeeper' into 'master'
c5dc1569 · Ryan Garcia · Ryan Garcia · d1ed7e5a · c5dc1569 · c5dc1569
Commit c5dc1569 authored 3 years ago by Ryan Garcia Committed by Ryan Garcia 3 years ago
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -17,18 +17,20 @@ networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
+
+  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
  allowedDockerRegistries:
+    {{- if .Values.istio.enabled }}
    match:
      excludedNamespaces:
-       {{- if .Values.istio.enabled }}
        - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-       {{- end }}
-        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- end }}
    {{- if .Values.addons.mattermost.enabled }}
    parameters:
      exemptContainers:
        - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
    {{- end }}
+  {{- end }}

  {{- if .Values.monitoring.enabled }}
  hostNetworking:
@@ -50,7 +52,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
  noPrivilegedContainers:
    match:
      excludedNamespaces:
-        - kube-system
        - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
  {{- end }}

@@ -58,7 +59,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
  restrictedTaint:
    match:
      excludedNamespaces:
-        - kube-system
        - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
  {{- end }}

@@ -69,6 +69,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        - logging # FluentBit needs selinux option type spc_t
  {{- end }}

+  {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
  volumeTypes:
    match:
      excludedNamespaces:
@@ -87,5 +88,5 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
        # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
        - monitoring
       {{- end }}
-        - kube-system #local-path_local-path-provisioner helper-pod-create-pvc
+  {{- end }}
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -281,7 +281,7 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.5.1-bb.7"
+    tag: "3.5.1-bb.8"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
  flux: