Add kyverno policy exception

Signed-off-by: QuentinBisson <[email protected]>
giantswarm · Oct 5, 2023 · d3a6b9b · d3a6b9b
1 parent eaf8b03
commit d3a6b9b
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 ### Changed
 
 - Upgraded chart dependency to [kube-prometheus-stack-51.0.2](https://github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-51.0.2)
+- Add kyverno policy exceptions for node exporter.
 
 ## [6.1.0] - 2023-09-12
 

diff --git a/.../prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml b/.../prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml
@@ -0,0 +1,53 @@
+{{- if and .Values.kyvernoPolicyExceptions.enabled (index .Values "prometheus-operator-app" "nodeExporter" "enabled") }}
+{{- if .Capabilities.APIVersions.Has "kyverno.io/v2alpha1/PolicyException" -}}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+  labels:
+    {{- include "prometheus-node-exporter.labels" . | nindent 4 }}
+  name: {{ include "prometheus-node-exporter.fullname" . }}-exceptions
+  namespace: {{ .Values.kyvernoPolicyExceptions.namespace | default (include "prometheus-node-exporter.namespace" .) }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+    - autogen-host-path
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - Pod
+        namespaces:
+        - {{ include "prometheus-node-exporter.namespace" . }}
+        names:
+        - {{ include "prometheus-node-exporter.fullname" . }}*
+  {{- end -}}
+{{- end -}}
diff --git a/helm/prometheus-operator-app/values.schema.json b/helm/prometheus-operator-app/values.schema.json
@@ -14,13 +14,32 @@
                         "create": {
                             "type": "boolean"
                         },
+                        "pspAnnotations": {
+                            "type": "object",
+                            "properties": {
+                                "seccomp.security.alpha.kubernetes.io/allowedProfileNames": {
+                                    "type": "string"
+                                }
+                            }
+                        },
                         "pspEnabled": {
                             "type": "boolean"
                         }
                     }
                 }
             }
         },
+        "kyvernoPolicyExceptions": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "namespace": {
+                    "type": "string"
+                }
+            }
+        },
         "prometheus-operator-app": {
             "type": "object",
             "properties": {
@@ -201,6 +220,9 @@
                                 "enabled": {
                                     "type": "boolean"
                                 },
+                                "flavor": {
+                                    "type": "string"
+                                },
                                 "ingress": {
                                     "type": "array",
                                     "items": {
@@ -654,9 +676,15 @@
                                     "items": {
                                         "type": "object",
                                         "properties": {
-                                            "replacement": {
+                                            "action": {
                                                 "type": "string"
                                             },
+                                            "sourceLabels": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
                                             "targetLabel": {
                                                 "type": "string"
                                             }
@@ -688,9 +716,15 @@
                                     "items": {
                                         "type": "object",
                                         "properties": {
-                                            "replacement": {
+                                            "action": {
                                                 "type": "string"
                                             },
+                                            "sourceLabels": {
+                                                "type": "array",
+                                                "items": {
+                                                    "type": "string"
+                                                }
+                                            },
                                             "targetLabel": {
                                                 "type": "string"
                                             }
@@ -763,6 +797,14 @@
                 "prometheus-node-exporter": {
                     "type": "object",
                     "properties": {
+                        "image": {
+                            "type": "object",
+                            "properties": {
+                                "repository": {
+                                    "type": "string"
+                                }
+                            }
+                        },
                         "rbac": {
                             "type": "object",
                             "properties": {
@@ -824,6 +866,14 @@
                                 }
                             }
                         },
+                        "podAnnotations": {
+                            "type": "object",
+                            "properties": {
+                                "cluster-autoscaler.kubernetes.io/safe-to-evict": {
+                                    "type": "string"
+                                }
+                            }
+                        },
                         "prometheusConfigReloader": {
                             "type": "object",
                             "properties": {

diff --git a/helm/prometheus-operator-app/values.yaml b/helm/prometheus-operator-app/values.yaml
@@ -6,6 +6,10 @@ global:
     pspAnnotations:
       seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
 
+kyvernoPolicyExceptions:
+  enabled: true
+  namespace: giantswarm
+
 prometheus-operator-app:
   alertmanager:
     alertmanagerSpec: