Fix kyverno namespaces (#92)

XenitAB · Dec 15, 2020 · 36dd48f · 36dd48f
1 parent 6fc47b1
commit 36dd48f
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 17 deletions.
diff --git a/modules/kubernetes/aks-core/modules.tf b/modules/kubernetes/aks-core/modules.tf
@@ -1,3 +1,7 @@
+locals {
+  excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno", "csi-secrets-store-provider-azure"]
+}
+
 # OPA Gatekeeper
 module "opa_gatekeeper" {
   for_each = {
@@ -10,7 +14,7 @@ module "opa_gatekeeper" {
 
   exclude = [
     {
-      excluded_namespaces = ["kube-system", "gatekeeper-system", "aad-pod-identity", "cert-manager", "ingress-nginx", "velero", "azdo-proxy", "flux-system", "external-dns", "kyverno", "csi-secrets-store-provider-azure"]
+      excluded_namespaces = local.excluded_namespaces
       processes           = ["*"]
     }
   ]
@@ -193,7 +197,7 @@ module "kyverno" {
 
   source = "../../kubernetes/kyverno"
 
-  namespaces = [for ns in var.namespaces : ns.name]
+  excluded_namespaces = local.excluded_namespaces
 }
 
 # csi-secrets-store-provider-azure
@@ -207,4 +211,4 @@ module "csi_secrets_store_provider_azure" {
   }
 
   source = "../../kubernetes/csi-secrets-store-provider-azure"
-}
+}
diff --git a/modules/kubernetes/eks-core/modules.tf b/modules/kubernetes/eks-core/modules.tf
@@ -1,3 +1,7 @@
+locals {
+  excluded_namespaces = ["kube-system", "gatekeeper-system", "cert-manager", "ingress-nginx", "velero", "flux-system", "external-dns", "external-secrets"]
+}
+
 # OPA Gatekeeper
 module "opa_gatekeeper" {
   for_each = {
@@ -10,7 +14,7 @@ module "opa_gatekeeper" {
 
   exclude = [
     {
-      excluded_namespaces = ["kube-system", "gatekeeper-system", "cert-manager", "ingress-nginx", "velero", "flux-system", "external-dns", "external-secrets"]
+      excluded_namespaces = local.excluded_namespaces
       processes           = ["*"]
     }
   ]
@@ -134,6 +138,6 @@ module "kyverno" {
 
   source = "../../kubernetes/kyverno"
 
-  namespaces              = [for ns in var.namespaces : ns.name]
+  excluded_namespaces     = local.excluded_namespaces
   create_self_signed_cert = true
 }
diff --git a/modules/kubernetes/kyverno/README.md b/modules/kubernetes/kyverno/README.md
@@ -18,7 +18,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | create\_self\_signed\_cert | If true helm will generate a self signed cert | `bool` | `false` | no |
-| namespaces | Namespaces to apply mutating hooks to | `list(string)` | n/a | yes |
+| excluded\_namespaces | Namespaces to exclude from mutating hooks | `list(string)` | n/a | yes |
 
 ## Outputs
 

diff --git a/modules/kubernetes/kyverno/charts/kyverno-extras/templates/mutating-security-context.yaml b/modules/kubernetes/kyverno/charts/kyverno-extras/templates/mutating-security-context.yaml
@@ -10,7 +10,12 @@ spec:
         resources:
           kinds:
             - Pod
-          namespaces: {{ .Values.namespaces }}
+      exclude:
+        resources:
+          namespaces:
+          {{- range .Values.excludedNamespaces }}
+            - {{ . }}
+          {{- end }}
       mutate:
         patchStrategicMerge:
           spec:

diff --git a/modules/kubernetes/kyverno/charts/kyverno-extras/values.yaml b/modules/kubernetes/kyverno/charts/kyverno-extras/values.yaml
@@ -1 +1 @@
-namespaces: []
+excludedNamespaces: []
diff --git a/modules/kubernetes/kyverno/main.tf b/modules/kubernetes/kyverno/main.tf
@@ -15,7 +15,7 @@ terraform {
 
 locals {
   namespace = "kyverno"
-  version   = "1.2.1"
+  version   = "1.3.0-rc8"
 }
 
 resource "kubernetes_namespace" "this" {
@@ -46,9 +46,5 @@ resource "helm_release" "kyverno_extras" {
   chart     = "${path.module}/charts/kyverno-extras"
   name      = "kyverno-extras"
   namespace = kubernetes_namespace.this.metadata[0].name
-
-  set {
-    name  = "namespaces"
-    value = "{${join(",", var.namespaces)}}"
-  }
+  values    = [templatefile("${path.module}/templates/values.yaml.tpl", { excluded_namespaces = var.excluded_namespaces })]
 }
diff --git a/modules/kubernetes/kyverno/templates/values.yaml.tpl b/modules/kubernetes/kyverno/templates/values.yaml.tpl
@@ -0,0 +1,4 @@
+excludedNamespaces:
+  %{~ for item in excluded_namespaces ~}
+  - "${item}"
+  %{~ endfor ~}
diff --git a/modules/kubernetes/kyverno/variables.tf b/modules/kubernetes/kyverno/variables.tf
@@ -1,5 +1,5 @@
-variable "namespaces" {
-  description = "Namespaces to apply mutating hooks to"
+variable "excluded_namespaces" {
+  description = "Namespaces to exclude from mutating hooks"
   type        = list(string)
 }
 

diff --git a/validation/kubernetes/kyverno/main.tf b/validation/kubernetes/kyverno/main.tf
@@ -29,5 +29,5 @@ module "kyverno" {
     helm = helm
   }
 
-  namespaces = ["foobar"]
+  excluded_namespaces = ["foobar"]
 }