Merge branch 'neuvector-require-drop-all-exclude' into 'master'

added neuvector exceptionss Closes big-bang/product/packages/neuvector#51 See merge request !2970

Merge branch 'neuvector-require-drop-all-exclude' into 'master'
d94d6814 · Christopher O'Connell · dd14c987 · b9cfb83c · d94d6814
Commit d94d6814 authored 1 year ago by Christopher O'Connell
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -146,9 +146,10 @@ policies:

  require-drop-all-capabilities:
    validationFailureAction: audit
-    {{- if .Values.addons.gitlab.enabled }}
+    {{- if or .Values.addons.gitlab.enabled .Values.neuvector.enabled }}
    exclude:
      any:
+      {{- if .Values.addons.gitlab.enabled }}      
      # Gitlab Redis sub-chart does not have configurable securityContext values from upstream. An issue has been opened
      # upstream to add these capabilities: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3375
      - resources:
@@ -156,6 +157,16 @@ policies:
          - gitlab
          names:
          - gitlab-redis-*
+      {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+          - neuvector-prometheus-exporter-pod*
+      {{- end }}
    {{- end }}

  # Kyverno Beta feature - https://kyverno.io/docs/writing-policies/verify-images/