The exception-recommender Helm chart creates PolicyExceptionDrafts that can be used as a base model for Giant Swarm PolicyExceptions. These drafts are generated based on PolicyReports within the "Pod Security Standard" Policy categories.
Below is an example of a generated PolicyExceptionDraft generated by the app. This specific draft exempts the my-custom-operator Deployment in the default namespace from the disallow-privilege-escalation and require-run-as-nonroot policies:
apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyExceptionDraft
metadata:
labels:
app.kubernetes.io/managed-by: exception-recommender
name: my-custom-operator
namespace: policy-exceptions
spec:
policies:
- disallow-privilege-escalation
- require-run-as-nonroot
targets:
- kind: Deployment
names:
- my-custom-operator*
namespaces:
- defaultIt's crucial to understand that this object alone does not modify policy behavior. It serves as a preliminary draft for a Giant Swarm PolicyException. To make this exception effective, users must apply a modified version of this object, removing the Draft suffix from the Kind, as shown below:
apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyException
metadata:
labels:
app.kubernetes.io/managed-by: exception-recommender
name: my-custom-operator
namespace: policy-exceptions
spec:
policies:
- disallow-privilege-escalation
- require-run-as-nonroot
targets:
- kind: Deployment
names:
- my-custom-operator*
namespaces:
- defaultNote: This requires to have kyverno-policy-operator installed
There are several ways to install this app onto a workload cluster.
- Using GitOps to instantiate the App
- Using our web interface.
- By creating an App resource in the management cluster as explained in Getting started with App Platform.
This is an example of a values file you could upload using our web interface.
recommender:
# Install PolicyExceptionDrafts on the default namespace
destinationNamespace: "default"See our full reference on how to configure apps for more details.