Merged Robert Massey requested to merge require-drop-all-capabilities into master 1 year ago

Package Merge Request

Package Changes

Sets kyverno policy require-drop-all-capabilities validationFailureAction to Enforce

For Issue

Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1699

Upgrade Notices

The policy require-drop-all-capabilities is now set to Enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement.

For any non-BigBang applications, exceptions can be added via values as below, or ensure a Kyverno PolicyException resource is present in your app templates:

kyvernoPolicies:
  values:
    policies:
      require-drop-all-capabilities:
        exclude:
          any:
            # Neuvector needs access to host to inspect network traffic
            - resources:
                namespaces:
                  - neuvector
                names:
                  - neuvector-enforcer-pod*
                  - neuvector-controller-pod*
                  - neuvector-prometheus-exporter-pod*

Edited 10 months ago by Samuel Sarnowski

Activity

Please register or sign in to reply

set policy to enforce

Package Merge Request

Package Changes

For Issue

Upgrade Notices

Merge request reports

Activity