fix(kyverno): rm hostNetwork & excludeClusterRoles

- also added more webhook objectSelector exclusions
2026-01-27 18:18:26 +00:00 · 2023-11-08 01:57:35 +08:00
parent 70cd8c78f4
commit 138561de14
1 changed files with 8 additions and 3 deletions
--- a/kube/deploy/core/kyverno/app/hr.yaml
+++ b/kube/deploy/core/kyverno/app/hr.yaml
@@ -22,19 +22,24 @@ spec:
      ingress.home.arpa/host: "allow"
      ingress.home.arpa/apiserver: "allow"
      egress.home.arpa/apiserver: "allow"
+      egress.home.arpa/host: "allow"
    config:
-      excludeClusterRoles: ["cluster-admin"] # default kubeconfig cluster-admin role keeps getting locked out from `watch` operations like `k9s`
      webhooks:
        - objectSelector:
            matchExpressions:
+              - key: "kyverno.home.arpa/exclude"
+                operator: "DoesNotExist"
              - key: "kubernetes.io/hostname"
                operator: "DoesNotExist"
+              - key: "kubernetes.io/bootstrapping"
+                operator: "NotIn"
+                value: "rbac-defaults"
    admissionController:
      replicas: 3
      priorityClassName: "system-node-critical"
      apiPriorityAndFairness: true
-      hostNetwork: true
-      dnsPolicy: "ClusterFirstWithHostNet"
+      # hostNetwork: true
+      # dnsPolicy: "ClusterFirstWithHostNet"
      tolerations:
        - key: "node-role.kubernetes.io/control-plane"
          operator: "Exists"