From 39d7d238549f7d5355f4e672f2092811e7230611 Mon Sep 17 00:00:00 2001 From: Zach Stone Date: Fri, 20 Dec 2024 14:35:14 -0500 Subject: [PATCH] Kyverno policy exception --- .../templates/_helpers.tpl | 14 ++++++++ .../templates/kyverno-policy-exception.yaml | 33 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml diff --git a/helm/1password-scim-bridge/templates/_helpers.tpl b/helm/1password-scim-bridge/templates/_helpers.tpl index c371db9..e7decd4 100644 --- a/helm/1password-scim-bridge/templates/_helpers.tpl +++ b/helm/1password-scim-bridge/templates/_helpers.tpl @@ -35,3 +35,17 @@ giantswarm.io/managed-by: {{ .Release.Name | quote }} giantswarm.io/service-type: {{ .Values.serviceType }} helm.sh/chart: {{ include "chart" . | quote }} {{- end -}} + +{{/* +Name used by Giant Swarm-specific helpers for this App. +*/}} +{{- define "onepassword-scim-bridge-helpers.name" -}} +{{ include "name" . | quote }} +{{- end -}} + +{{/* +Labels used by Giant Swarm-specific helpers for this App. +*/}} +{{- define "onepassword-scim-bridge-helpers.labels" -}} +{{ include "labels.common" . }} +{{- end -}} diff --git a/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml b/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml new file mode 100644 index 0000000..e7d8b63 --- /dev/null +++ b/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml @@ -0,0 +1,33 @@ +{{- if .Values.kyvernoPolicyExceptions.enabled }} +{{- if .Capabilities.APIVersions.Has "kyverno.io/v2/PolicyException" }} +apiVersion: kyverno.io/v2 +{{- else}} +apiVersion: kyverno.io/v2beta1 +{{- end }} +kind: PolicyException +metadata: + name: {{ include "onepassword-scim-bridge-helpers.name" . }}-exception + namespace: {{ .Values.kyvernoPolicyExceptions.namespace | default .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install,pre-upgrade" + labels: + {{ include "onepassword-scim-bridge-helpers.labels" . | nindent 4 }} +spec: + exceptions: + - policyName: require-run-as-nonroot + ruleNames: + - autogen-run-as-non-root + - run-as-non-root + match: + any: + - resources: + kinds: + - Deployment + - ReplicaSet + - Pod + namespaces: + - {{ .Release.Namespace }} + names: + - "onepassword-scim-bridge*" +--- +{{- end }}