Open p1-bot-repo-sync[bot] opened 1 month ago
Looking at this the template and value will be called "additional-policyexceptions" to match with "additional-policies" value and template. Existing policy exceptions will also not be consolidated into the key. The request to make future exceptions to be more easily added.
Feature Request
Why
Although Kyverno policies contain multiple methods to provide fine-grained control as to which resources they act upon, usually in the form of match/exclude blocks, preconditions at multiple hierarchies, anchors, and more, All these mechanisms have in common that the resources which they are intended to exclude must occur in the same rule definition. This may be limiting in situations where policies may not be directly editable, or doing so imposes an operational burden.
For example, in organizations where multiple teams must interact with the same cluster, a team responsible for policy authoring and administration may not be the same team responsible for submission of resources. In these cases, it can be advantageous to decouple the policy definition from certain exclusions. Additionally, there are often times where an organization or team must allow certain exceptions which would violate otherwise valid rules but on a one-time basis if the risks are known and acceptable.
What is the use case for the feature you are requesting? What are you trying to solve?
Imagine a validate policy exists in Enforce mode which mandates all Pods must not mount host namespaces. A separate team has a legitimate need to run a specific tool in this cluster for a limited time which violates this policy. Normally, the policy would block such a “bad” Pod if the policy was not previously altered in such a way to allow said Pod to run. Rather than making adjustments to the policy, an exception may be granted.
The more detail here the better!
Proposed Solution
If possible, provide details on the proposed solution.
Add a new key called top level key called policy exceptions in values
Add a new template called policyexceptions.yaml
If your proposed solution changes the existing behavior of a feature, please outline why your approach is recommended/better.