From d3a6b9ba99ebe7d4b55c2cea256aa9f02b23229c Mon Sep 17 00:00:00 2001 From: QuentinBisson Date: Thu, 5 Oct 2023 16:06:47 +0200 Subject: [PATCH] Add kyverno policy exception Signed-off-by: QuentinBisson --- CHANGELOG.md | 1 + .../kyverno-policy-exception.yaml | 53 ++++++++++++++++++ .../values.schema.json | 54 ++++++++++++++++++- helm/prometheus-operator-app/values.yaml | 4 ++ 4 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 helm/prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index f3c648fc..31b5fe83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ### Changed - Upgraded chart dependency to [kube-prometheus-stack-51.0.2](https://github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-51.0.2) +- Add kyverno policy exceptions for node exporter. ## [6.1.0] - 2023-09-12 diff --git a/helm/prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml b/helm/prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml new file mode 100644 index 00000000..f549dcab --- /dev/null +++ b/helm/prometheus-operator-app/templates/prometheus-node-exporter/kyverno-policy-exception.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.kyvernoPolicyExceptions.enabled (index .Values "prometheus-operator-app" "nodeExporter" "enabled") }} +{{- if .Capabilities.APIVersions.Has "kyverno.io/v2alpha1/PolicyException" -}} +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + name: {{ include "prometheus-node-exporter.fullname" . }}-exceptions + namespace: {{ .Values.kyvernoPolicyExceptions.namespace | default (include "prometheus-node-exporter.namespace" .) }} +spec: + exceptions: + - policyName: disallow-host-path + ruleNames: + - host-path + - autogen-host-path + - policyName: disallow-privilege-escalation + ruleNames: + - privilege-escalation + - autogen-privilege-escalation + - policyName: disallow-capabilities-strict + ruleNames: + - require-drop-all + - autogen-require-drop-all + - policyName: disallow-host-namespaces + ruleNames: + - host-namespaces + - autogen-host-namespaces + - policyName: disallow-host-ports + ruleNames: + - host-ports-none + - autogen-host-ports-none + - policyName: restrict-seccomp-strict + ruleNames: + - check-seccomp-strict + - autogen-check-seccomp-strict + - policyName: restrict-volume-types + ruleNames: + - restricted-volumes + - autogen-restricted-volumes + match: + any: + - resources: + kinds: + - DaemonSet + - Pod + namespaces: + - {{ include "prometheus-node-exporter.namespace" . }} + names: + - {{ include "prometheus-node-exporter.fullname" . }}* + {{- end -}} +{{- end -}} diff --git a/helm/prometheus-operator-app/values.schema.json b/helm/prometheus-operator-app/values.schema.json index d1f79443..f32511b8 100644 --- a/helm/prometheus-operator-app/values.schema.json +++ b/helm/prometheus-operator-app/values.schema.json @@ -14,6 +14,14 @@ "create": { "type": "boolean" }, + "pspAnnotations": { + "type": "object", + "properties": { + "seccomp.security.alpha.kubernetes.io/allowedProfileNames": { + "type": "string" + } + } + }, "pspEnabled": { "type": "boolean" } @@ -21,6 +29,17 @@ } } }, + "kyvernoPolicyExceptions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + } + }, "prometheus-operator-app": { "type": "object", "properties": { @@ -201,6 +220,9 @@ "enabled": { "type": "boolean" }, + "flavor": { + "type": "string" + }, "ingress": { "type": "array", "items": { @@ -654,9 +676,15 @@ "items": { "type": "object", "properties": { - "replacement": { + "action": { "type": "string" }, + "sourceLabels": { + "type": "array", + "items": { + "type": "string" + } + }, "targetLabel": { "type": "string" } @@ -688,9 +716,15 @@ "items": { "type": "object", "properties": { - "replacement": { + "action": { "type": "string" }, + "sourceLabels": { + "type": "array", + "items": { + "type": "string" + } + }, "targetLabel": { "type": "string" } @@ -763,6 +797,14 @@ "prometheus-node-exporter": { "type": "object", "properties": { + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + } + } + }, "rbac": { "type": "object", "properties": { @@ -824,6 +866,14 @@ } } }, + "podAnnotations": { + "type": "object", + "properties": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": { + "type": "string" + } + } + }, "prometheusConfigReloader": { "type": "object", "properties": { diff --git a/helm/prometheus-operator-app/values.yaml b/helm/prometheus-operator-app/values.yaml index a336847e..94c56ef7 100644 --- a/helm/prometheus-operator-app/values.yaml +++ b/helm/prometheus-operator-app/values.yaml @@ -6,6 +6,10 @@ global: pspAnnotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +kyvernoPolicyExceptions: + enabled: true + namespace: giantswarm + prometheus-operator-app: alertmanager: alertmanagerSpec: