Skip to content

Commit c864090

Browse files
wallrjwallrj
committed
Apply Kyverno policies to E2E test namespaces too
By using ClusterPolicy with exlusion rules for the namespaces of non-compliant E2E test tools. Signed-off-by: Richard Wall <richard.wall@venafi.com>
1 parent 2f6e9f4 commit c864090

2 files changed

Lines changed: 264 additions & 66 deletions

File tree

make/config/kyverno/kustomization.yaml

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,16 +9,24 @@ resources:
99
- https://github.com/kyverno/policies/pod-security/enforce
1010
- https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-automount-sa-token/restrict-automount-sa-token.yaml
1111
- https://github.com/kyverno/policies/raw/main//best-practices/require-ro-rootfs/require-ro-rootfs.yaml
12+
1213
patches:
13-
- patch: |-
14-
- op: replace
15-
path: /kind
16-
value: Policy
17-
- op: add
18-
path: /metadata/namespace
19-
value: cert-manager
14+
- target:
15+
kind: ClusterPolicy
16+
patch: |-
2017
- op: replace
2118
path: /spec/validationFailureAction
2219
value: Enforce
23-
target:
24-
kind: ClusterPolicy
20+
- op: add
21+
path: /spec/rules/0/exclude
22+
value:
23+
resources:
24+
namespaces:
25+
- bind
26+
- e2e-vault
27+
- gateway-system
28+
- ingress-nginx
29+
- pebble
30+
- projectcontour
31+
- sample-external-issuer-system
32+
- samplewebhook

0 commit comments

Comments
 (0)