Kyverno policy exceptions for fluentbit run as root

General MR

Summary

Add Kyverno policy exception and rationale for fluentbit to permit running as root.

Closes https://repo1.dso.mil/platform-one/big-bang/apps/core/fluentbit/-/issues/35

chart/templates/kyverno/policies/values.yaml

@@ -182,7 +182,7 @@ policies:
 
   require-non-root-group:
     validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
     exclude:
       any:
       {{- if $deployRestic }}
@@ -205,11 +205,21 @@ policies:
           names:
           - twistlock-defender-ds*
       {{- end }}
+      {{- if .Values.fluentbit.enabled }}
+      # Fluentbit requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-fluent-bit*
+      {{- end }}
     {{- end }}
 
   require-non-root-user:
     validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled }}
     exclude:
       any:
       {{- if $deployRestic }}
@@ -232,7 +242,16 @@ policies:
           names:
           - twistlock-defender-ds*
       {{- end }}
-
+      {{- if .Values.fluentbit.enabled }}
+      # Fluentbit requires access to journalctl as well as /var/log.  This would require modifications
+      # to the host operating system, creating a user, adding that user to the  systemd-journal user group 
+      # and then granting permissions recursively on /var/log.
+      - resources:
+          namespaces:
+          - logging
+          names:
+          - logging-fluent-bit*
+      {{- end }}
     {{- end }}
 
   {{- if .Values.twistlock.enabled }}