Skip to content

Commit

Permalink
make all kyverno policies optional and disabled by default (#872)
Browse files Browse the repository at this point in the history 
Signed-off-by: Johannes Kleinlercher <[email protected]>
  • Loading branch information
@jkleinlercher
jkleinlercher authored Nov 26, 2024
1 parent 27e5516 commit 2637213
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 4 deletions.
4 changes: 3 additions & 1 deletion platform-apps/charts/kyverno/templates/crb-kubevirt-rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ if has "policy-kubevirt-rolebinding" .Values.kyvernoPolicies }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -9,4 +10,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: kyverno-background-controller
namespace: kyverno
namespace: kyverno
{{- end }}
2 changes: 2 additions & 0 deletions platform-apps/charts/kyverno/templates/policy-add-label-velero.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ if has "add-labels-to-cm-velero" .Values.kyvernoPolicies }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
Expand Down Expand Up @@ -31,3 +32,4 @@ spec:
labels:
velero.io/exclude-from-backup: "true"
skipBackgroundRequests: true
{{- end }}
2 changes: 2 additions & 0 deletions platform-apps/charts/kyverno/templates/policy-kubevirt-rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ if has "policy-kubevirt-rolebinding" .Values.kyvernoPolicies }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
Expand Down Expand Up @@ -39,4 +40,5 @@ spec:
kind: ClusterRole
name: kubevirt-datavolume-permission
apiGroup: rbac.authorization.k8s.io
{{- end }}

8 changes: 5 additions & 3 deletions platform-apps/charts/kyverno/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
kyvernoPolicies:
- add-ns-quota
- kargo-project-name-validation-apps-in-any-ns
# per default no kyvernoPolicies get applied, add them in the list in your values files to enable them
kyvernoPolicies: []
# - add-ns-quota
# - kargo-project-name-validation-apps-in-any-ns
# - policy-kubevirt-rolebinding

kyverno:
admissionController:
Expand Down

0 comments on commit 2637213

Please sign in to comment.