modify non-root-user and non-root-group kyverno policies to include exception for promtail

eadd1043 · Chris Nuber · Ryan Garcia · 2bee731e · eadd1043
Commit eadd1043 authored 2 years ago by Chris Nuber Committed by Ryan Garcia 2 years ago
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -182,7 +182,7 @@ policies:

  require-non-root-group:
    validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -215,11 +215,22 @@ policies:
          names:
          - logging-fluent-bit*
      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # promtail requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      # promtail requires access to /run/promtail for its buffering and persistent state.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-promtail*
+      {{- end }}
    {{- end }}

  require-non-root-user:
    validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
    exclude:
      any:
      {{- if $deployRestic }}
@@ -252,6 +263,17 @@ policies:
          names:
          - logging-fluent-bit*
      {{- end }}
+      {{- if .Values.promtail.enabled }}
+      # promtail requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      # promtail requires access to /run/promtail for its buffering and persistent state.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-promtail*
+      {{- end }}
    {{- end }}

  {{- if .Values.twistlock.enabled }}