fix: fix pre uds-core package exemptions (#88)

defenseunicorns · May 1, 2024 · 45b1845 · 45b1845
1 parent 6a180b3
commit 45b1845
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 26 deletions.
diff --git a/packages/additional-manifests/pepr-policy-exemptions/metallb-exemptions.yaml b/packages/additional-manifests/pepr-policy-exemptions/metallb-exemptions.yaml
@@ -0,0 +1,22 @@
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: metallb
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - DisallowHostNamespaces
+        - DisallowPrivileged
+        - DropAllCapabilities
+        - RequireNonRootUser
+        - RestrictCapabilities
+        - RestrictHostPathWrite
+        - RestrictHostPorts
+        - RestrictVolumeTypes
+      matcher:
+        namespace: metallb-system
+        name: "^speaker-*"
+        kind: pod
+      title: "metallb exemptions"
+      description: "Metallb needs exemptions"
diff --git a/packages/additional-manifests/pepr-policy-exemptions/rook-ceph-exemption.yaml b/packages/additional-manifests/pepr-policy-exemptions/rook-ceph-exemption.yaml
diff --git a/packages/additional-manifests/pepr-policy-exemptions/rook-ceph-exemptions.yaml b/packages/additional-manifests/pepr-policy-exemptions/rook-ceph-exemptions.yaml
@@ -0,0 +1,45 @@
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: rook-ceph
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - DisallowHostNamespaces
+        - DisallowPrivileged
+        - DisallowSELinuxOptions
+        - DropAllCapabilities
+        - RequireNonRootUser
+        - RestrictCapabilities
+        - RestrictHostPathWrite
+        - RestrictHostPorts
+        - RestrictProcMount
+        - RestrictSeccomp
+        - RestrictSELinuxType
+        - RestrictVolumeTypes
+      matcher:
+        namespace: rook-ceph
+        name: "^rook-*"
+        kind: pod
+      title: "rook-ceph exemptions"
+      description: "Rook ceph needs exemptions"
+    - policies:
+        - DisallowHostNamespaces
+        - DisallowPrivileged
+        - DisallowSELinuxOptions
+        - DropAllCapabilities
+        - RequireNonRootUser
+        - RestrictCapabilities
+        - RestrictHostPathWrite
+        - RestrictHostPorts
+        - RestrictProcMount
+        - RestrictSeccomp
+        - RestrictSELinuxType
+        - RestrictVolumeTypes
+      matcher:
+        namespace: rook-ceph
+        name: "^csi-*"
+        kind: pod
+      title: "rook-ceph csi exemptions"
+      description: "Rook ceph needs exemptions"
diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml
@@ -29,7 +29,8 @@ components:
     manifests:
       - name: pepr-policy-exemptions
         files:
-          - pepr-policy-exemptions/rook-ceph-exemption.yaml
+          - pepr-policy-exemptions/rook-ceph-exemptions.yaml
+          - pepr-policy-exemptions/metallb-exemptions.yaml
   - name: mattermost-ca-secret
     required: true
     manifests: