exception-recommender

command module

v0.1.1 Latest Latest Go to latest Published: Feb 7, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/giantswarm/exception-recommender

Links

Open Source Insights

README ¶

exception-recommender chart

The exception-recommender Helm chart creates PolicyExceptionDrafts that can be used as a base model for Giant Swarm PolicyExceptions. These drafts are generated based on PolicyReports within the "Pod Security Standard" Policy categories.

PolicyExceptionDraft example

Below is an example of a generated PolicyExceptionDraft generated by the app. This specific draft exempts the my-custom-operator Deployment in the default namespace from the disallow-privilege-escalation and require-run-as-nonroot policies:

apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyExceptionDraft
metadata:
  labels:
    app.kubernetes.io/managed-by: exception-recommender
  name: my-custom-operator
  namespace: policy-exceptions
spec:
  policies:
  - disallow-privilege-escalation
  - require-run-as-nonroot
  targets:
  - kind: Deployment
    names:
    - my-custom-operator*
    namespaces:
    - default

It's crucial to understand that this object alone does not modify policy behavior. It serves as a preliminary draft for a Giant Swarm PolicyException. To make this exception effective, users must apply a modified version of this object, removing the Draft suffix from the Kind, as shown below:

Resulting Giant Swarm PolicyException

apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyException
metadata:
  labels:
    app.kubernetes.io/managed-by: exception-recommender
  name: my-custom-operator
  namespace: policy-exceptions
spec:
  policies:
  - disallow-privilege-escalation
  - require-run-as-nonroot
  targets:
  - kind: Deployment
    names:
    - my-custom-operator*
    namespaces:
    - default

Note: This requires to have kyverno-policy-operator installed

Installing

There are several ways to install this app onto a workload cluster.

Using GitOps to instantiate the App
Using our web interface.
By creating an App resource in the management cluster as explained in Getting started with App Platform.

Configuring

values.yaml

This is an example of a values file you could upload using our web interface.

recommender:
  # Install PolicyExceptionDrafts on the default namespace
  destinationNamespace: "default"

See our full reference on how to configure apps for more details.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group +kubebuilder:object:generate=true +groupName=policy.giantswarm.io	Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group +kubebuilder:object:generate=true +groupName=policy.giantswarm.io
internal
controller

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL