Kyverno Policy Exceptions for Certain Gitlab Pods

Package Merge Request

Package Changes

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/6.0.1-bb.3/CHANGELOG.md

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/6.0.1-bb.4/CHANGELOG.md

Package MR

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/merge_requests/143

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/merge_requests/144

For Issue

Closes https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/issues/129

BB Processes

Add labels for affected packages so that they are deployed in CI as well as a status label:

Be sure to assign to yourself:

Once it is ready for review switch the status and assign reviewers:

chart/templates/kyverno/policies/values.yaml

@@ -189,6 +189,17 @@ policies:
 
   require-drop-all-capabilities:
     validationFailureAction: audit
+    {{- if .Values.addons.gitlab.enabled }}
+    exclude:
+      any:
+      # Gitlab Redis sub-chart does not have configurable securityContext values from upstream. An issue has been opened 
+      # upstream to add these capabilities: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3375
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - gitlab-redis-*
+    {{- end }}
 
   require-istio-on-namespaces:
     enabled: {{ .Values.istio.enabled }}
@@ -211,7 +222,7 @@ policies:
 
   require-non-root-group:
     validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
     exclude:
       any:
       {{- if $deployRestic }}
@@ -255,11 +266,20 @@ policies:
           names:
           - logging-promtail*
       {{- end }}
+      {{- if .Values.addons.gitlab.enabled }}
+      # Gitlab Redis sub-chart does not have configurable securityContext values from upstream. An issue has been opened 
+      # upstream to add these capabilities: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3375
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - gitlab-redis-*
+      {{- end }}
     {{- end }}
 
   require-non-root-user:
     validationFailureAction: audit
-    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled }}
+    {{- if or $deployRestic .Values.twistlock.enabled .Values.fluentbit.enabled .Values.promtail.enabled .Values.addons.gitlab.enabled }}
     exclude:
       any:
       {{- if $deployRestic }}
@@ -303,6 +323,15 @@ policies:
           names:
           - logging-promtail*
       {{- end }}
+      {{- if .Values.addons.gitlab.enabled }}
+      # Gitlab Redis sub-chart does not have configurable securityContext values from upstream. An issue has been opened 
+      # upstream to add these capabilities: https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3375
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - gitlab-redis-*
+      {{- end }}
     {{- end }}
 
   {{- if .Values.twistlock.enabled }}