From c5dc15690a3198cc5e305d6c626ac85cc5151609 Mon Sep 17 00:00:00 2001
From: Ryan Garcia <garcia.ryan@solute.us>
Date: Mon, 9 Aug 2021 16:39:59 +0000
Subject: [PATCH] Merge branch 'exclude-kube-system-from-gatekeeper' into
 'master'

Use OPA Gatekeeper with kube-system namespace exception

Closes platform-one/big-bang/apps/core/policy#107, platform-one/big-bang/apps/core/policy#82, and platform-one/big-bang/apps/core/policy#66

See merge request platform-one/big-bang/bigbang!730
---
 chart/templates/gatekeeper/values.yaml | 13 +++++++------
 chart/values.yaml                      |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/chart/templates/gatekeeper/values.yaml b/chart/templates/gatekeeper/values.yaml
index 443ed1242c..0fbfec3767 100644
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -17,18 +17,20 @@ networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
+
+  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
   allowedDockerRegistries:
+    {{- if .Values.istio.enabled }}
     match:
       excludedNamespaces:
-       {{- if .Values.istio.enabled }}
         - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-       {{- end }}
-        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- end }}
     {{- if .Values.addons.mattermost.enabled }}
     parameters:
       exemptContainers:
         - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
     {{- end }}
+  {{- end }}
 
   {{- if .Values.monitoring.enabled }}
   hostNetworking:
@@ -50,7 +52,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   noPrivilegedContainers:
     match:
       excludedNamespaces:
-        - kube-system
         - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
   {{- end }}
 
@@ -58,7 +59,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   restrictedTaint:
     match:
       excludedNamespaces:
-        - kube-system
         - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
   {{- end }}
 
@@ -69,6 +69,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - logging # FluentBit needs selinux option type spc_t
   {{- end }}
 
+  {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
   volumeTypes:
     match:
       excludedNamespaces:
@@ -87,5 +88,5 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
         - monitoring
        {{- end }}
-        - kube-system #local-path_local-path-provisioner helper-pod-create-pvc
+  {{- end }}
 {{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index 3113d92a85..b9f4b9f460 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -281,7 +281,7 @@ gatekeeper:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
     path: "./chart"
-    tag: "3.5.1-bb.7"
+    tag: "3.5.1-bb.8"
 
   # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
   flux:
-- 
GitLab