white list more user and group

Azure · Jul 4, 2023 · 90db317 · 90db317
1 parent 810c14f
commit 90db317
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego
@@ -57,11 +57,13 @@ is_priv_namespace(ns) = true {
 }
 
 exempted_user = {
+  "system:kube-controller-manager",
   "system:admin" # comment out temporarily for testing in console
 }
 
 exempted_groups = {
   # "system:cluster-admins", # dont allow kube:admin
+  "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
   "system:serviceaccounts", # to allow all system service account?
   # "system:serviceaccounts:openshift-monitoring", # monitoring operator
   # "system:serviceaccounts:openshift-network-operator", # network operator

diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml
@@ -165,11 +165,13 @@ spec:
           }
 
           exempted_user = {
+            "system:kube-controller-manager",
             "system:admin" # comment out temporarily for testing in console
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
+            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
             "system:serviceaccounts", # to allow all system service account?
             # "system:serviceaccounts:openshift-monitoring", # monitoring operator
             # "system:serviceaccounts:openshift-network-operator", # network operator

diff --git a/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml
@@ -105,11 +105,13 @@ spec:
           }
 
           exempted_user = {
+            "system:kube-controller-manager",
             "system:admin" # comment out temporarily for testing in console
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
+            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
             "system:serviceaccounts", # to allow all system service account?
             # "system:serviceaccounts:openshift-monitoring", # monitoring operator
             # "system:serviceaccounts:openshift-network-operator", # network operator

diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -95,11 +95,13 @@ spec:
           }
 
           exempted_user = {
+            "system:kube-controller-manager",
             "system:admin" # comment out temporarily for testing in console
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
+            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
             "system:serviceaccounts", # to allow all system service account?
             # "system:serviceaccounts:openshift-monitoring", # monitoring operator
             # "system:serviceaccounts:openshift-network-operator", # network operator