Comments (4)
Does it have to do with excluding the namespace that the clone secret is derived from?
Yes, almost certainly.
from policies.
the problem I'm trying to solve by excluding the namespace where the clone secret is is that Kyverno does not own the clone secret and it should not try to write to that namespace.
Is there another way besides rules.exclude
to tell the below policy to ignore updates to the cloned secret's namespace?
namespace: "{{ request.object.metadata.name }}"
An obvious workaround is to name the copy of the secret something else (i.e. wildcard-copy) but that's logistically complicated.
from policies.
kube-system
is excluded in webhooks by default, therefore whether it's listed in the exclude
block in this policy is irrelevant. Kyverno must be able to "see" admission events on clone sources, and with it being excluded in the webhook this isn't possible. You can change the webhook exclusions either during install or on day2 by modifying Kyverno's ConfigMap.
from policies.
Thanks! Please close, I've redirected this as a documentation fix. Appreciate the help!
from policies.
Related Issues (20)
- [Enhancement]: Replace enforce/audit (deprecated) with Enforce/Audit on sample policies HOT 1
- [Bug] ClusterPolicy with PolicyException does not apply on subsequent updates
- Block Large Images
- [Sample] Mount volumes for ephemeral containers HOT 1
- disallow-capabilities: simplify CEL expressions
- disallow-host-namespaces: simplify CEL expressions
- disallow-host-path: simplify CEL expressions
- disallow-host-ports: simplify CEL expressions
- disallow-host-ports-range: simplify CEL expressions
- disallow-host-process: simplify CEL expressions
- disallow-privileged-containers: simplify CEL expressions HOT 3
- disallow-proc-mount: simplify CEL expressions HOT 2
- disallow-selinux: simplify CEL expressions
- restrict-seccomp: simplify CEL expressions
- restrict-sysctls: simplify CEL expressions
- All tested images to be stored in Kyverno org HOT 2
- Custom message not working in podSecurity subrule policy HOT 2
- [Bug] Generating network policy for existing namespace fails. As well as data template synchronization. HOT 3
- Refresh Environment Variables in Pods HOT 4
- [Bug] Kyverno verifyimage policy does'nt working correctly HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.