Merge pull request #125 from chipzoller/kyverno-policy-fixes

Updates/fixes Kyverno policies for 1.11+
fluxcd · Mar 1, 2024 · a4f492d · a4f492d
2 parents 8525be1 + dc19e7b
commit a4f492d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/infrastructure/kyverno-policies/verify-flux-images.yaml b/infrastructure/kyverno-policies/verify-flux-images.yaml
@@ -29,6 +29,7 @@ spec:
             - "docker.io/fluxcd/image-reflector-controller:*"
             - "docker.io/fluxcd/image-automation-controller:*"
           mutateDigest: false
+          verifyDigest: false
           attestors:
             - entries:
                 - keyless:

diff --git a/infrastructure/kyverno-policies/verify-git-repositories.yaml b/infrastructure/kyverno-policies/verify-git-repositories.yaml
@@ -9,19 +9,18 @@ spec:
   validationFailureAction: Audit # Change to 'Enforce' once the specific org url is set.
   rules:
     - name: github-repositories-only
-      exclude:
-        resources:
-          namespaces:
-            - flux-system
       match:
         any:
         - resources:
             kinds:
               - GitRepository
+      exclude:
+        any:
+        - resources:
+            namespaces:
+              - flux-system
       validate:
         message: ".spec.url must be from a repository within the organisation X"
-        anyPattern:
-        - spec:
-            url: "https://github.com/fluxcd/?*" # repositories in fluxcd via https
-        - spec:
-            url: "ssh://git@github.com:fluxcd/?*" # repositories in fluxcd via ssh
+        pattern:
+          spec:
+            url: https://github.com/fluxcd/?* | ssh://git@github.com:fluxcd/?*