Giant Swarm offers a kyverno-policy-operator App which can be installed in workload clusters. Here we define the kyverno-policy-operator chart with its templates and default configuration.
Kyverno Policy Operator reconciles the Giant Swarm PolicyException instances and creates the necessary Kyverno PolicyExceptions objects.
A Giant Swarm PolicyException consists of a list of Policies and Targets to be excluded from the Kyverno Policy Engine. Having a Giant Swarm PolicyException will ensure that workloads targeted by that policy won't be blocked during Admission time by Kyverno.
In some cases, it may be necessary to exempt specific resources from the enforcement of Kyverno policies, such as disallow-privilege-escalation and require-run-as-nonroot. To achieve this, you can create a Giant Swarm PolicyException. Below is an example of how to exclude the my-custom-operator Deployment in the default namespace from these policies:
apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyException
metadata:
name: my-custom-operator
namespace: policy-exceptions
spec:
policies:
- disallow-privilege-escalation
- require-run-as-nonroot
targets:
- kind: Deployment
names:
- my-custom-operator
namespaces:
- defaultThis Policy Exception configuration will be detected by the Kyverno Policy Operator, which will create a corresponding Kyverno Policy Exception resource:
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
labels:
app.kubernetes.io/managed-by: kyverno-policy-operator
name: my-custom-operator
namespace: policy-exceptions
(...)
spec:
background: false
exceptions:
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- autogen-cronjob-run-as-non-root
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- autogen-cronjob-privilege-escalation
match:
any:
- resources:
kinds:
- Deployment
- ReplicaSet
- Pod
names:
- my-custom-operator*
namespaces:
- defaultThere are several ways to install this app onto a workload cluster.
- Using GitOps to instantiate the App
- Using our web interface.
- By creating an App resource in the management cluster as explained in Getting started with App Platform.
This is an example of a values file you could upload using our web interface.
# Set the PolicyExceptions destination namespace
policyOperator:
destinationNamespace: ""If you have access to the Kubernetes API on the management cluster, you could create the App CR and ConfigMap directly.
Here is an example that would install the app to
workload cluster abc12:
# appCR.yaml
apiVersion: application.giantswarm.io/v1alpha1
kind: App
metadata:
name: kyverno-policy-operator
namespace: demo01
spec:
catalog: giantswarm-playground-test
config:
configMap:
name: demo01-cluster-values
namespace: demo01
name: kyverno-policy-operator
namespace: kyverno-policy-operator
version: 0.0.1# user-values-configmap.yaml
policyOperator:
destinationNamespace: "policy-exceptions"See our full reference on how to configure apps for more details.
This app has been tested to work with the following workload cluster release versions:
- v19.1.0
This App needs Kyverno App v0.15+ to be installed in the cluster.