Gatekeeper default policy blocking twistlock

Package Owner Merge Request

Package Changes

Added twistlock/twistlock-defender-ds-.* as an excludedResource for the following OPA Gatekeeper violations: restrictedTaint, allowedHostFilesystem, hostNetworking, and noHostNamespace.

#831 Fixed the problem for monitoring that was mentioned in this issue.

Once the MR is ready for review also add the status::review label.

Closes #668 (closed)

chart/templates/gatekeeper/values.yaml

@@ -34,7 +34,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - mattermost/init-check-database
       {{- end }}
 
-  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled }}
+  {{- if or .Values.monitoring.enabled (or .Values.fluentbit.enabled .Values.twistlock.enabled) }}
   allowedHostFilesystem:
     {{- if .Values.monitoring.enabled }}
     match:
@@ -42,14 +42,30 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # Prometheus-node-exporter needs access to host to get node metrics
         - monitoring
     {{- end }}
-    {{- if .Values.fluentbit.enabled }}
+    {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled }}
     parameters:
       excludedResources:
+        {{- if .Values.fluentbit.enabled }}
         # Fluentbit pods need access to host to get log files
         - logging/logging-fluent-bit-.*
+        {{- end }}
+        {{- if .Values.twistlock.enabled }}
+        - twistlock/twistlock-defender-ds-.*
+        {{- end }}
     {{- end }}
   {{- end }}
 
+  {{- if .Values.twistlock.enabled }}
+  hostNetworking:
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+  noHostNamespace:
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+  {{- end }}
+
   {{- if .Values.addons.mattermost.enabled }}
   httpsOnly:
     match:
@@ -78,12 +94,19 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - istio-operator
         - istio-system
 
-  {{- if .Values.monitoring.enabled }}
+  {{- if or .Values.monitoring.enabled .Values.twistlock.enabled }}
   restrictedTaint:
+    {{- if .Values.monitoring.enabled }}
     match:
       excludedNamespaces:
         # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
         - monitoring
+    {{- end }}
+    {{- if .Values.twistlock.enabled }}
+    parameters:
+      excludedResources:
+        - twistlock/twistlock-defender-ds-.*
+    {{- end }}
   {{- end }}
 
   {{- if .Values.logging.enabled }}