Skip to content

Commit

Permalink
Update README (#18)
Browse files Browse the repository at this point in the history
  • Loading branch information
fhielpos authored Oct 5, 2023
1 parent ee701fe commit 85cfa72
Showing 1 changed file with 52 additions and 1 deletion.
53 changes: 52 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,57 @@
[![CircleCI](https://dl.circleci.com/status-badge/img/gh/giantswarm/exception-recommender/tree/main.svg?style=svg)](https://dl.circleci.com/status-badge/redirect/gh/giantswarm/exception-recommender/tree/main)

# exception-recommender chart

The `exception-recommender` Helm chart creates PolicyExceptionDrafts that can be used as a base model for Kyverno PolicyExceptions. The Drafts are created from PolicyReports for the "Pod Security Standard" Policy categories.
The `exception-recommender` Helm chart creates PolicyExceptionDrafts that can be used as a base model for Giant Swarm PolicyExceptions. These drafts are generated based on PolicyReports within the "Pod Security Standard" Policy categories.

### PolicyExceptionDraft example

Below is an example of a generated PolicyExceptionDraft generated by the app. This specific draft exempts the `my-custom-operator` Deployment in the `default` namespace from the `disallow-privilege-escalation` and `require-run-as-nonroot policies`:

```yaml
apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyExceptionDraft
metadata:
labels:
app.kubernetes.io/managed-by: exception-recommender
name: my-custom-operator
namespace: policy-exceptions
spec:
policies:
- disallow-privilege-escalation
- require-run-as-nonroot
targets:
- kind: Deployment
names:
- my-custom-operator*
namespaces:
- default
```
It's crucial to understand that this object alone does not modify policy behavior. It serves as a preliminary draft for a Giant Swarm PolicyException. To make this exception effective, users must apply a modified version of this object, removing the `Draft` suffix from the Kind, as shown below:

### Resulting Giant Swarm PolicyException
```yaml
apiVersion: policy.giantswarm.io/v1alpha1
kind: PolicyException
metadata:
labels:
app.kubernetes.io/managed-by: exception-recommender
name: my-custom-operator
namespace: policy-exceptions
spec:
policies:
- disallow-privilege-escalation
- require-run-as-nonroot
targets:
- kind: Deployment
names:
- my-custom-operator*
namespaces:
- default
```

**Note:** This requires to have [kyverno-policy-operator](https://github.com/giantswarm/kyverno-policy-operator/) installed

## Installing

Expand Down

0 comments on commit 85cfa72

Please sign in to comment.