diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index 07c10821d5702ff88ae1b601205690b2bc2c21cb..df80453172ed46c2f6fa9411d2162e1d2fb61c8c 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -698,67 +698,75 @@ policies:
namespaces:
- namespace: istio-system
pods:
- - istiod-*
- - passthrough-ingressgateway-*
- - public-ingressgateway-*
+ allow:
+ - istiod-*
+ - passthrough-ingressgateway-*
+ - public-ingressgateway-*
- namespace: istio-operator
pods:
- - istiod-*
- - istio-operator-*
+ allow:
+ - istiod-*
+ - istio-operator-*
- namespace: twistlock
pods:
- # twistlock-init pods require get/list/patch/etc to several resources.
- # More details in twistlock/chart/templates/init/clusterrole.yaml
- - twistlock-init-*
- # twistlock-volume-upgrade-job requires patch/get/list/update to deployments and get/list to pods
- # More details in twistlock/chart/templates/init/volume-upgrade-role.yaml
- - twistlock-volume-upgrade-job
- # Twistlock Defender enforces various policies that may involve the K8s cluster itself
- # Enforcing said policies requires access to the API to get/list resources
- - twistlock-defender-ds-*
+ allow:
+ # twistlock-init pods require get/list/patch/etc to several resources.
+ # More details in twistlock/chart/templates/init/clusterrole.yaml
+ - twistlock-init-*
+ # twistlock-volume-upgrade-job requires patch/get/list/update to deployments and get/list to pods
+ # More details in twistlock/chart/templates/init/volume-upgrade-role.yaml
+ - twistlock-volume-upgrade-job
+ # Twistlock Defender enforces various policies that may involve the K8s cluster itself
+ # Enforcing said policies requires access to the API to get/list resources
+ - twistlock-defender-ds-*
- namespace: logging
serviceAccounts:
- logging-loki-minio-sa
pods:
- - logging-loki-minio-ss-*
+ allow:
+ - logging-loki-minio-ss-*
- namespace: minio-operator
pods:
- # console pods require access to several API resources
- # More details in minio-operator/chart/templates/console-clusterrole.yaml
- - console-*
- # operator pods require access to several API resources
- # More details in minio-operator/chart/templates/operator-clusterrole.yaml
- - minio-operator-*
- # tenantPatchJob requires get/list/patch on tenants (minio CRD)
- # More details in minio-operator/chart/templates/bigbang/tenant-patch-job.yaml
- - bb-minio-operator-minio-operator-tenant-patch
+ allow:
+ # console pods require access to several API resources
+ # More details in minio-operator/chart/templates/console-clusterrole.yaml
+ - console-*
+ # operator pods require access to several API resources
+ # More details in minio-operator/chart/templates/operator-clusterrole.yaml
+ - minio-operator-*
+ # tenantPatchJob requires get/list/patch on tenants (minio CRD)
+ # More details in minio-operator/chart/templates/bigbang/tenant-patch-job.yaml
+ - bb-minio-operator-minio-operator-tenant-patch
- namespace: minio
pods:
- # tenant pods require get/list/watch on secrets/tenants (CRD), and create/delete/get on services
- # More details in role named minio-minio-minio-instance-role
- - minio-minio-minio-instance-ss-0-*
+ allow:
+ # tenant pods require get/list/watch on secrets/tenants (CRD), and create/delete/get on services
+ # More details in role named minio-minio-minio-instance-role
+ - minio-minio-minio-instance-ss-0-*
- namespace: kyverno
pods:
- - kyverno-reports-controller-*
- - kyverno-admission-controller-*
- - kyverno-cleanup-controller-*
- - kyverno-cleanup-admission-reports-*
- - kyverno-admission-controller-*
- - kyverno-background-controller-*
- - kyverno-admission-controller-*
- - kyverno-cleanup-cluster-admission-reports-*
+ allow:
+ - kyverno-reports-controller-*
+ - kyverno-admission-controller-*
+ - kyverno-cleanup-controller-*
+ - kyverno-cleanup-admission-reports-*
+ - kyverno-admission-controller-*
+ - kyverno-background-controller-*
+ - kyverno-admission-controller-*
+ - kyverno-cleanup-cluster-admission-reports-*
- namespace: velero
serviceAccounts:
- velero
- velero-upgrade-crds
- velero-velero-server
pods:
- - velero-cleanup-crds-*
- - velero-velero-*
- - node-agent-*
- - velero-label-namespace-*
- - velero-script-test
- - velero-backup-restore-test
+ allow:
+ - velero-cleanup-crds-*
+ - velero-velero-*
+ - node-agent-*
+ - velero-label-namespace-*
+ - velero-script-test
+ - velero-backup-restore-test
- namespace: neuvector
serviceAccounts:
- basic
@@ -766,44 +774,47 @@ policies:
- enforcer
- updater
pods:
- - neuvector-manager-pod-*
- - neuvector-scanner-pod-*
- - neuvector-controller-pod-*
- - neuvector-enforcer-pod-*
- - neuvector-updater-pod-*
- - neuvector-prometheus-exporter-pod-*
- - neuvector-registry-adapter-pod-*
+ allow:
+ - neuvector-manager-pod-*
+ - neuvector-scanner-pod-*
+ - neuvector-controller-pod-*
+ - neuvector-enforcer-pod-*
+ - neuvector-updater-pod-*
+ - neuvector-prometheus-exporter-pod-*
+ - neuvector-registry-adapter-pod-*
- namespace: kiali
serviceAccounts:
- kiali-kiali-kiali-operator
pods:
- - kiali-*
+ allow:
+ - kiali-*
- namespace: argocd
pods:
- # application-controller pods interact with secrets, configmaps, events, and Argo CRDs
- # More details in argocd/chart/templates/argocd-application-controller/role.yaml
- - argocd-argocd-application-controller-*
- # dex pods interact with secrets and configmaps
- # More details in argocd/chart/templates/dex/role.yaml
- - argocd-argocd-dex-server-*
- # argocd-upgrade-job interacts with CRDs
- # More details in argocd/chart/templates/bigbang/upgrade-job.yaml
- - argocd-upgrade-job
- # argocd server pods interact with secrets, configmaps, events, and CRDs
- # More details in argocd/chart/templates/argocd-server/role.yaml
- - argocd-argocd-server-*
- # repo server pods require access to the K8s API if using RBAC
- # Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
- - argocd-argocd-repo-server-*
- # The applicationSet controller pods interact with many API resources, including CRDs
- # More details in argocd/chart/templates/argocd-applicationset/role.yaml
- - argocd-argocd-applicationset-controller-*
- # notifications controller pods interact with secrets, configmaps, and CRDs
- # More details in argocd/chart/templates/argocd-notifications/role.yaml
- # Additionally (this wildcard covers both)-
- # notifications bot pods interact with secrets, configmaps, and CRDs
- # More details in argocd/chart/templates/argocd-notifications/bots/slack/role.yaml
- - argocd-argocd-notifications-controller-*
+ allow:
+ # application-controller pods interact with secrets, configmaps, events, and Argo CRDs
+ # More details in argocd/chart/templates/argocd-application-controller/role.yaml
+ - argocd-argocd-application-controller-*
+ # dex pods interact with secrets and configmaps
+ # More details in argocd/chart/templates/dex/role.yaml
+ - argocd-argocd-dex-server-*
+ # argocd-upgrade-job interacts with CRDs
+ # More details in argocd/chart/templates/bigbang/upgrade-job.yaml
+ - argocd-upgrade-job
+ # argocd server pods interact with secrets, configmaps, events, and CRDs
+ # More details in argocd/chart/templates/argocd-server/role.yaml
+ - argocd-argocd-server-*
+ # repo server pods require access to the K8s API if using RBAC
+ # Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
+ - argocd-argocd-repo-server-*
+ # The applicationSet controller pods interact with many API resources, including CRDs
+ # More details in argocd/chart/templates/argocd-applicationset/role.yaml
+ - argocd-argocd-applicationset-controller-*
+ # notifications controller pods interact with secrets, configmaps, and CRDs
+ # More details in argocd/chart/templates/argocd-notifications/role.yaml
+ # Additionally (this wildcard covers both)-
+ # notifications bot pods interact with secrets, configmaps, and CRDs
+ # More details in argocd/chart/templates/argocd-notifications/bots/slack/role.yaml
+ - argocd-argocd-notifications-controller-*
- namespace: harbor
serviceAccounts:
- harbor-redis-bb
@@ -812,8 +823,9 @@ policies:
- authservice
- authservice-haproxy-sso
pods:
- - authservice-authservice-redis-bb-*
- - authservice-haproxy-sso-*
+ allow:
+ - authservice-authservice-redis-bb-*
+ - authservice-haproxy-sso-*
- namespace: monitoring
serviceAccounts:
- monitoring-grafana
@@ -823,21 +835,25 @@ policies:
- monitoring-monitoring-kube-operator
- monitoring-monitoring-prometheus-node-exporter
pods:
- - monitoring-grafana-*
- - monitoring-monitoring-kube-admission-create-*
- - monitoring-monitoring-kube-admission-patch-*
- - monitoring-monitoring-kube-state-metrics-*
- - monitoring-monitoring-kube-operator-*
- - prometheus-monitoring-monitoring-kube-prometheus-*
+ allow:
+ - monitoring-grafana-*
+ - monitoring-grafana-*
+ - monitoring-monitoring-kube-admission-create-*
+ - monitoring-monitoring-kube-admission-patch-*
+ - monitoring-monitoring-kube-state-metrics-*
+ - monitoring-monitoring-kube-operator-*
+ - prometheus-monitoring-monitoring-kube-prometheus-*
- namespace: anchore
serviceAccounts:
- anchore-ui-redis
pods:
- - anchore-ui-redis-*
+ allow:
+ - anchore-ui-redis-*
- namespace: jaeger
pods:
- - jaeger-jaeger-jaeger-operator-*
- - jaeger-clean-svc-monitor
+ allow:
+ - jaeger-jaeger-jaeger-operator-*
+ - jaeger-clean-svc-monitor
- namespace: fortify
serviceAccounts:
- fortify-mysql
@@ -847,29 +863,34 @@ policies:
- vault-vault-root-token-secret
- vault-vault-agent-injector
pods:
- - vault-vault-0
- - vault-vault-agent-injector-*
- - vault-vault-job-init-*
+ allow:
+ - vault-vault-0
+ - vault-vault-agent-injector-*
+ - vault-vault-job-init-*
- namespace: promtail
serviceAccounts:
- promtail-promtail
pods:
- - promtail-promtail-*
+ allow:
+ - promtail-promtail-*
- namespace: fluentbit
serviceAccounts:
- fluentbit-fluent-bit
pods:
- - fluentbit-fluent-bit-*
+ allow:
+ - fluentbit-fluent-bit-*
- namespace: eck-operator
serviceAccounts:
- elastic-operator
pods:
- - elastic-operator-?
+ allow:
+ - elastic-operator-?
- namespace: nexus-repository-manager
serviceAccounts:
- nexus-repository-manager
pods:
- - nexus-repository-manager-*
+ allow:
+ - nexus-repository-manager-*
- namespace: thanos
serviceAccounts:
- thanos-minio-sa
@@ -877,34 +898,39 @@ policies:
- thanos-query
- thanos-query-frontend
pods:
- - thanos-minio-*
- podsToHarden:
- - thanos-query-frontend-*
- - thanos-storegateway-*
- - thanos-query-*
+ allow:
+ - thanos-minio-*
+ deny:
+ - thanos-query-frontend-*
+ - thanos-storegateway-*
+ - thanos-query-*
- namespace: mattermost
serviceAccounts:
- mattermost
- mattermost-minio-sa
pods:
- - default-minio-bucket-creation-*
- - mattermost-minio-ss-*
+ allow:
+ - default-minio-bucket-creation-*
+ - mattermost-minio-ss-*
- namespace: mattermost-operator
serviceAccounts:
- mattermost-operator
pods:
- - mattermost-operator-*
+ allow:
+ - mattermost-operator-*
- namespace: keycloak
serviceAccounts:
- keycloak
- namespace: gitlab
pods:
- - gitlab-shared-secrets*
+ allow:
+ - gitlab-shared-secrets*
- namespace: gitlab-runner
serviceAccounts:
- gitlab-runner
pods:
- - gitlab-runner-*
+ allow:
+ - gitlab-runner-*
istio:
enabled: {{ .Values.istio.enabled }}
diff --git a/chart/values.yaml b/chart/values.yaml
index f14550fe00ff5e18aca6935152e7f7d8ac10c31e..4c258179901385a135f6953887e74f915b33ac24 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -516,11 +516,11 @@ kyvernoPolicies:
git:
repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
path: ./chart
- tag: "3.0.4-bb.19"
+ tag: "3.0.4-bb.21"
helmRepo:
repoName: "registry1"
chartName: "kyverno-policies"
- tag: "3.0.4-bb.19"
+ tag: "3.0.4-bb.21"
# -- Flux reconciliation overrides specifically for the Kyverno Package
flux: {}