diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego index c159a8567e0..c36f840dde4 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego @@ -57,11 +57,13 @@ is_priv_namespace(ns) = true { } exempted_user = { + "system:kube-controller-manager", "system:admin" # comment out temporarily for testing in console } exempted_groups = { # "system:cluster-admins", # dont allow kube:admin + "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2" "system:serviceaccounts", # to allow all system service account? # "system:serviceaccounts:openshift-monitoring", # monitoring operator # "system:serviceaccounts:openshift-network-operator", # network operator diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml index 609dadfd722..07118630550 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-host-mount.yaml @@ -165,11 +165,13 @@ spec: } exempted_user = { + "system:kube-controller-manager", "system:admin" # comment out temporarily for testing in console } exempted_groups = { # "system:cluster-admins", # dont allow kube:admin + "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2" "system:serviceaccounts", # to allow all system service account? # "system:serviceaccounts:openshift-monitoring", # monitoring operator # "system:serviceaccounts:openshift-network-operator", # network operator diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml index cfa0f731ba1..50acae29296 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml @@ -105,11 +105,13 @@ spec: } exempted_user = { + "system:kube-controller-manager", "system:admin" # comment out temporarily for testing in console } exempted_groups = { # "system:cluster-admins", # dont allow kube:admin + "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2" "system:serviceaccounts", # to allow all system service account? # "system:serviceaccounts:openshift-monitoring", # monitoring operator # "system:serviceaccounts:openshift-network-operator", # network operator diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml index bd6001bfc09..2422a91a4b7 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml @@ -95,11 +95,13 @@ spec: } exempted_user = { + "system:kube-controller-manager", "system:admin" # comment out temporarily for testing in console } exempted_groups = { # "system:cluster-admins", # dont allow kube:admin + "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2" "system:serviceaccounts", # to allow all system service account? # "system:serviceaccounts:openshift-monitoring", # monitoring operator # "system:serviceaccounts:openshift-network-operator", # network operator