Moved the excluded namespaces to the new regex method for excluded resources.

Merge Request

No package changes. Scope is in Big Bang only.

Excluded namespaces converted to excluded resources where the exclusion could be narrowed down to namespace and pod/container name using regex.

Values added to k3d-dev-values.yaml and ci/k3d/values.yaml to accommodate load balancer pod/container exceptions.

Additional Details

For testing, all packages should be deployed and no denies should occur. Use kubectl get events -n <namespace> to check for denies.

closes #693 (closed)

closes #776 (closed)

chart/templates/gatekeeper/values.yaml

@@ -36,30 +36,26 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
 
   {{- if or .Values.monitoring.enabled (or .Values.fluentbit.enabled .Values.twistlock.enabled) }}
   allowedHostFilesystem:
-    {{- if .Values.monitoring.enabled }}
-    match:
-      excludedNamespaces:
-        # Prometheus-node-exporter needs access to host to get node metrics
-        - monitoring
-    {{- end }}
-    {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled }}
     parameters:
       excludedResources:
-        {{- if .Values.fluentbit.enabled }}
-        # Fluentbit pods need access to host to get log files
-        - logging/logging-fluent-bit-.*
-        {{- end }}
-        {{- if .Values.twistlock.enabled }}
-        - twistlock/twistlock-defender-ds-.*
-        {{- end }}
-    {{- end }}
+      {{- if .Values.monitoring.enabled }}
+      # Prometheus-node-exporter needs access to host to get node metrics
+      - monitoring/monitoring-monitoring-prometheus-node-exporter-.*
+      {{- end }}
+      {{- if .Values.fluentbit.enabled }}
+      # Fluentbit pods need access to host to get log files
+      - logging/logging-fluent-bit-.*
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      - twistlock/twistlock-defender-ds-.*
+      {{- end }}
   {{- end }}
 
   {{- if .Values.twistlock.enabled }}
   hostNetworking:
     parameters:
       excludedResources:
-        - twistlock/twistlock-defender-ds-.*
+        - twistlock/twistlock-defender
   noHostNamespace:
     parameters:
       excludedResources:
@@ -68,11 +64,11 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
 
   {{- if .Values.addons.mattermost.enabled }}
   httpsOnly:
-    match:
-      excludedNamespaces:
+    parameters:
+      excludedResources:
         # Mattermost currently does not useIngressTLS hence Ingress is created without TLS field by the operator.
         # Adding exemption, pending https://github.com/mattermost/mattermost-operator/issues/235
-        - mattermost
+        - mattermost/mattermost
   {{- end }}
 
   namespacesHaveIstio:
@@ -80,10 +76,10 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
 
   {{- if .Values.logging.enabled }}
   noPrivilegedContainers:
-    match:
-      excludedNamespaces:
+    parameters:
+      excludedResources:
         # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
-        - logging
+        - logging/fluent-bit
   {{- end }}
 
   podsHaveIstio:
@@ -96,53 +92,49 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
 
   {{- if or .Values.monitoring.enabled .Values.twistlock.enabled }}
   restrictedTaint:
-    {{- if .Values.monitoring.enabled }}
-    match:
-      excludedNamespaces:
-        # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
-        - monitoring
-    {{- end }}
-    {{- if .Values.twistlock.enabled }}
     parameters:
       excludedResources:
-        - twistlock/twistlock-defender-ds-.*
-    {{- end }}
+      {{- if .Values.monitoring.enabled }}
+      # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
+      - monitoring/monitoring-monitoring-prometheus-node-exporter-.*
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      - twistlock/twistlock-defender-ds-.*
+      {{- end }}
   {{- end }}
 
   {{- if or .Values.logging.enabled .Values.twistlock.enabled }}
   selinuxPolicy:
-    {{- if .Values.logging.enabled }}
-    match:
-      excludedNamespaces:
-        # FluentBit needs selinux option type spc_t
-        - logging
-    {{- end }}
-    {{- if .Values.twistlock.enabled }}
     parameters:
       excludedResources:
-        # Twistlock Defenders need selinux option type spc_t
-        - twistlock/twistlock-defender
-    {{- end }}
+      {{- if .Values.logging.enabled }}
+      # FluentBit needs selinux option type spc_t
+      - logging/fluent-bit
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      # Twistlock Defenders need selinux option type spc_t
+      - twistlock/twistlock-defender
+      {{- end }}
   {{- end }}
 
   {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
   volumeTypes:
-    match:
-      excludedNamespaces:
+    parameters:
+      excludedResources:
        {{- if .Values.fluentbit.enabled }}
         # fluent-bit container requires certain host level access to ship logs and for keep track of state
         # https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#workflow-of-tail-kubernetes-filter
-        - logging
+        - logging/logging-fluent-bit-.*
        {{- end }}
        {{- if .Values.twistlock.enabled }}
         # Twistlock requires /dev/log for its syslog daemon.
         # https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/logging.html#
-        - twistlock
+        - twistlock/twistlock-defender-ds-.*
        {{- end }}
        {{- if .Values.monitoring.enabled }}
         # Prometheus node exported requires hostpath hardcoded in upstream chart on which monitoring pkg has a direct dependency
         # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
-        - monitoring
+        - monitoring/monitoring-monitoring-prometheus-node-exporter-.*
        {{- end }}
   {{- end }}
 {{- end -}}