UNCLASSIFIED - NO CUI

Skip to content

Add ability to define Policy Exception Objects

Feature Request

Why

Although Kyverno policies contain multiple methods to provide fine-grained control as to which resources they act upon, usually in the form of match/exclude blocks, preconditions at multiple hierarchies, anchors, and more, All these mechanisms have in common that the resources which they are intended to exclude must occur in the same rule definition. This may be limiting in situations where policies may not be directly editable, or doing so imposes an operational burden.

For example, in organizations where multiple teams must interact with the same cluster, a team responsible for policy authoring and administration may not be the same team responsible for submission of resources. In these cases, it can be advantageous to decouple the policy definition from certain exclusions. Additionally, there are often times where an organization or team must allow certain exceptions which would violate otherwise valid rules but on a one-time basis if the risks are known and acceptable.

What is the use case for the feature you are requesting? What are you trying to solve?

Imagine a validate policy exists in Enforce mode which mandates all Pods must not mount host namespaces. A separate team has a legitimate need to run a specific tool in this cluster for a limited time which violates this policy. Normally, the policy would block such a “bad” Pod if the policy was not previously altered in such a way to allow said Pod to run. Rather than making adjustments to the policy, an exception may be granted.

The more detail here the better!

Proposed Solution

If possible, provide details on the proposed solution.

Add a new key called top level key called policy exceptions in values

Add a new template called policyexceptions.yaml

{{- range $name, $values := .Values.policyExceptions }}
{{- if and $.Values.enabled $values.enabled }}
{{- if not (has $values.kind (list "PolicyException")) }}
{{- fail (printf "Invalid kind (%s) for policy named %s." $values.kind $name) }}
{{- end }}
---
apiVersion: kyverno.io/v2beta1
kind: {{ default $values.kind "PolicyException" }}
metadata:
  name: {{ $name }}
    {{- if $values.namespace  }}
  namespace: {{ $values.namespace }}
    {{- else }}
      {{- fail (printf "PolicyException named %s requires a namespace." $name) }}
    {{- end }}
  annotations: {{- toYaml (default dict $values.annotations) | nindent 4 }}
  labels: {{- include "kyverno-policies.labels" $ | nindent 4 }}
spec: {{- toYaml $values.spec | nindent 2 }}
{{- end }}
{{- end }}

If your proposed solution changes the existing behavior of a feature, please outline why your approach is recommended/better.

UNCLASSIFIED - NO CUI