BB 2.16.0 - Kyverno non-root-user policy change not clearly articulated
https://repo1.dso.mil/big-bang/bigbang/-/releases/2.16.0
While the non-root-user policy being switched to enforce was mentioned, it was a very short mention and not included under upgrade notices. From the perspective of someone scanning these release notes it could be easily missed and it feels a bit "hidden" in the other details. Contrast these two:
2.16.0: This release sets Kyverno's require-non-root-user policy setting to Enforce. See this MR for more details
2.18.0:
-
KyvernoPolicies:
-
The policy
require-non-root-group
is now set to enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement. Non-BigBang deployments will need to ensure they are setting asecurityContext.runAsGroup
value or an exception will need to be added. -
You can use the following values or ensure a Kyverno PolicyException resource is present in your app templates:
kyvernoPolicies: values: policies: require-non-root-group: exclude: any: - resources: namespaces: - NAMESPACE names: - POD-NAME-* ...
-
It would be great to retroactively edit 2.16.0 to place this under upgrade notices and more clearly articulate what might be required to ensure my apps on top of Big Bang still deploy.