stacks/kyverno-integration/modules/enforce/exceptions/argocd.yaml

apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
  name: argocd-cnoe-operation
  namespace: kyverno
spec:
  exceptions:
  - policyName: disallow-privilege-escalation
    ruleNames:
    - privilege-escalation
    - autogen-privilege-escalation
  - policyName: disallow-capabilities-strict
    ruleNames:
    - require-drop-all
    - autogen-require-drop-all
  - policyName: require-run-as-nonroot
    ruleNames:
    - run-as-non-root
    - autogen-run-as-non-root
  - policyName: restrict-seccomp-strict
    ruleNames:
    - check-seccomp-strict
    - autogen-check-seccomp-strict
  match:
    any:
    - resources:
        kinds:
        - Pod
        - Deployment
        - ReplicaSet
        namespaces:
        - argocd
        names:
        # TODO: this should be more targeted than blanket *
        - argocd-*
Stack: Kyverno (#38) Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com> 2024-10-02 13:40:04 +00:00			`apiVersion: kyverno.io/v2beta1`
			`kind: PolicyException`
			`metadata:`
			`name: argocd-cnoe-operation`
			`namespace: kyverno`
			`spec:`
			`exceptions:`
			`- policyName: disallow-privilege-escalation`
			`ruleNames:`
			`- privilege-escalation`
			`- autogen-privilege-escalation`
			`- policyName: disallow-capabilities-strict`
			`ruleNames:`
			`- require-drop-all`
			`- autogen-require-drop-all`
			`- policyName: require-run-as-nonroot`
			`ruleNames:`
			`- run-as-non-root`
			`- autogen-run-as-non-root`
			`- policyName: restrict-seccomp-strict`
			`ruleNames:`
			`- check-seccomp-strict`
			`- autogen-check-seccomp-strict`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`- Deployment`
			`- ReplicaSet`
			`namespaces:`
			`- argocd`
			`names:`
			`# TODO: this should be more targeted than blanket *`
			`- argocd-*`