Skip to content

[Feature] Ability to install namespaced Policy resources from kyverno-policies chart #4317

New issue
New issue
Closed
#8827
Closed
[Feature] Ability to install namespaced Policy resources from kyverno-policies chart#4317
#8827
Assignees
treydock
Labels
enhancementNew feature or requesthelmIssues dealing with the Helm chart
@adabuleanu

Description

@adabuleanu
adabuleanu
opened on Aug 9, 2022

Problem Statement

The current kyverno-policies chart installs ClusterPolicy resources which apply to the entire cluster.
I want to be able to use the chart to install the same policies but in a specific namespace (Policy resource).
The reason is that not all charts inside my cluster can implement PSS standards, so I need to add exceptions. This feature request #2277 with corresponding implementation #3051 is very useful for the my specific scenario because I can install the Kyverno policies together with the application charts and provide exceptions during install time. But, I want to be able to do this at namespace level, not at cluster level. When a new application chart is deployed, the alternative right now is to update the existing ClusterPolicy with the exceptions, which has a couple of disadvantages: permission issues to update ClusterPolicy, cumbersome deployment process (updating an existing resource vs creating a new one). Multiple policies to apply to the same resource is not an option as this is not supported by Kyverno .

Solution Description

The kyverno-policies chart should implement something like:

# values.yaml
policyNamespaced: 
  enabled: false
  namespace: ""

# policy example
apiVersion: kyverno.io/v1
{{- if (default .Values.policyNamespaced.enabled true) }}
kind: Policy
{{- else }}
kind: ClusterPolicy
{{- end }}
metadata:
  name: {{ $name }}
{{- if (default .Values.policyNamespaced.enabled true) }}
  namespace: {{ .Values.policyNamespaced.namespace }}
{{- end }}

And the cli installation can look something like:

helm install kyverno-policies kyverno/kyverno-policies --set policyNamespaced.enabled=true --set policyNamespaced.namespace=my-namespace

Alternatives

If there is a better approach of how to architect the whole process using ClusterPolicy, please let me know.

Additional Context

I am migrating from PSP to Kyverno and this is the best approach that I've found so far on how to confine Kyverno Polices with application charts. Alternately I am thinking of deploying a ClusterPolicy to mandate that each Pod in a namespace must be validated by a Kyverno Policy (still researching what option Kyverno provides on this). If there is a better approach of how to architect the whole process using ClusterPolicy and my use cases, please let me know.

Slack discussion

No response

Research

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesthelmIssues dealing with the Helm chart

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions