Add policy exception so that controller can be deployed in bootstrap …

…mode (uses host network) (#1215)
giantswarm · Nov 22, 2023 · 0f38807 · 0f38807
1 parent d810f44
commit 0f38807
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Fixed
+
+- Add policy exception so that controller can be deployed in bootstrap mode (uses host network)
+
 ## [6.10.0] - 2023-11-15
 
 ### Added

diff --git a/helm/app-operator/templates/policyexception.yaml b/helm/app-operator/templates/policyexception.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.kyvernoPolicyExceptions.enabled }}
+{{- if .Values.bootstrapMode.enabled }}
+{{- if .Capabilities.APIVersions.Has "kyverno.io/v2alpha1/PolicyException" -}}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: {{ include "resource.default.name" . }}-bootstrap-mode
+  namespace: {{ include "resource.default.namespace" . }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+spec:
+  exceptions:
+    - policyName: disallow-host-namespaces
+      ruleNames:
+        - autogen-host-namespaces
+        - host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+          - Deployment
+          - ReplicaSet
+          - Pod
+        namespaces:
+          - {{ include "resource.default.namespace" . }}
+        names:
+          - "{{ include "resource.default.name" . }}*"
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm/app-operator/values.yaml b/helm/app-operator/values.yaml
@@ -99,3 +99,6 @@ serviceMonitor:
 
 podSecurityStandards:
   enforced: false
+
+kyvernoPolicyExceptions:
+  enabled: true