Robert Massey requested to merge require-drop-all-capabilities into master Apr 15, 2024

Package Merge Request

Package Changes

Sets kyverno policy require-drop-all-capabilities validationFailureAction to Enforce

For Issue

Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1699

Upgrade Notices

The policy require-drop-all-capabilities is now set to Enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement.

For any non-BigBang applications, exceptions can be added via values as below, or ensure a Kyverno PolicyException resource is present in your app templates:

kyvernoPolicies:
  values:
    policies:
      require-drop-all-capabilities:
        exclude:
          any:
            # Neuvector needs access to host to inspect network traffic
            - resources:
                namespaces:
                  - neuvector
                names:
                  - neuvector-enforcer-pod*
                  - neuvector-controller-pod*
                  - neuvector-prometheus-exporter-pod*

Edited May 30, 2024 by Samuel Sarnowski

Admin message

set policy to enforce

Package Merge Request

Package Changes

For Issue

Upgrade Notices

Merge request reports