UNCLASSIFIED - NO CUI

Skip to content

Kyverno excludeContainers policy syntax issue

Bug

Description

The restrict-capabilities.yaml file has a "kyverno-policies.excludeContainers" policy at the end of it. The capabilities list is “NET_BIND_SERVICE || NET_ADMIN || NET_RAW” or similar, but doing it like this meant the “add” field was a string, but we provided an array and it broke. Changing the policy to an array of !… strings fix that problem.

Here is the suggested change to the policy to produce an array of strings instead:

=(add): {{ toJson (dig $name "parameters" "allow" nil .Values.policies) }}

BigBang Version

Latest