Skip to content

Allow kyverno-policies to exclude resources #3051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Allow kyverno-policies to exclude resources #3051

wants to merge 7 commits into from

Conversation

treydock
Copy link
Contributor

@treydock treydock commented Jan 23, 2022
edited
Loading

Related issue

Fixes #2277

Milestone of this PR

/milestone 1.6.0

What type of PR is this

/kind feature

Proposed Changes

Allow individual policies managed by Helm to have custom excludes.

Proof Manifests

Added a Helm testing test YAML that is run by ct install during E2E tests.

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • I have added tests that prove my fix is effective or that my feature works.
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the doc update and the link is:

Further Comments

@treydock
Allow kyverno-policies to exclude resources
2cb4524 
Fixes kyverno#2277

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Add README for new value
f5e5322 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Copy link
Contributor Author

@realshuting I forget, do I bump the Helm chart version in the Pull Request or is that handled when tags are created?

@treydock treydock mentioned this pull request Jan 23, 2022
Closed
@treydock
Fix format during helm template, add extra E2E test
8cab3dd 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Copy link
Contributor Author

There is an issue with this that I need to resolve before merge, need to handle cases where policies have multiple rules and might want to exclude something from just one rule and not entire policy.

@treydock treydock marked this pull request as draft January 25, 2022 14:58
@treydock
Fix kyverno and kyverno-polices ci testing to actually get used
55b4978 
Use match.any to allow for also having exclude.any

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Fix helm lint checks
028bbef 
Add extra information to comments

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Remove unnecessary template render
5f33d56 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock
Copy link
Contributor Author

I switched all policies to be include.any because found couldn't use exclude.any with old include definitions.

@treydock
Will rename in different pull request
1457775 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
@treydock treydock marked this pull request as ready for review January 27, 2022 15:25
@treydock treydock requested a review from realshuting January 27, 2022 15:25
@treydock
Copy link
Contributor Author

@realshuting Hope it's okay to slate this for 1.6.1, rather than waiting for 1.7.0. This is a feature to Helm charts, no breaking changes. It also might be the case this is superseded by PR to get new pod security chart into 1.6.0 as I can just integrate these changes into that PR.

This was referenced Jan 29, 2022
Merged
Merged
@treydock
Copy link
Contributor Author

This is replicated in #3126. This pull request was built against Kyverno 1.5.x charts so if this change is desired for Kyverno 1.5.x or charts 2.0.x then this would need to be targeted for 1.5 release branch.

@realshuting realshuting self-assigned this Feb 7, 2022
@realshuting
Copy link
Member

@treydock - Sorry I missed this change before. Is this still needed or we can close the PR?

@treydock
Copy link
Contributor Author

Can close. I only left open in case wanted to do this backport to 1.5 release.

@treydock treydock closed this Feb 10, 2022
@adabuleanu adabuleanu mentioned this pull request Aug 9, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting Awaiting requested review from realshuting

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
Kyverno Release 1.6.1
Development

Successfully merging this pull request may close these issues.

[Chart] Ability to exclude specific resources from baseline policies
2 participants
@treydock @realshuting