UNCLASSIFIED - NO CUI

Resolve "Adding merge list block for overlay and default list (for Kyverno Policies)"

Daniel Chenrequested to merge
2901-adding-merge-help-function-for-kyverno-policies into master

General MR

Summary

Adding a merge block for Kyverno policy for merging default and overlay lists. This is only used by update-automountserviceaccounttokens policy.

Relevant logs/screenshots

Override is able to merge with the default list and won't overwrite it.

Local test adding below override:

kyvernoPolicies:
  enabled: true
  values:
    policies:
      update-automountserviceaccounttokens:
        enabled: true
        namespaces: 
          - namespace: monitoring
            pods:
              allow:
              - test-monitoring*
              deny:
              - deny-monitoring*

Result:

      - resources:
          kinds:
          - Pod
          names:
          - monitoring-grafana*
          - monitoring-monitoring-kube-admission-create-*
          - monitoring-monitoring-kube-admission-patch-*
          - monitoring-monitoring-kube-state-metrics*
          - monitoring-monitoring-kube-operator*
          - prometheus-monitoring-monitoring-kube-prometheus*
          - test-monitoring*
          namespaces:
          - monitoring
      - resources:
          kinds:
          - Pod
          names:
          - deny-monitoring*
          namespaces:
          - monitoring

Linked Issue

issue

Upgrade Notices

N/A

Edited by Daniel Chen

Merge request reports

UNCLASSIFIED - NO CUI