add kyverno to staging #5203
add kyverno to staging #5203
Conversation
argo-cd-apps/base/member/infra-deployments/kyverno/kyverno.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
There are some Notes on using ArgoCD. If I'm getting it correctly, we should either enable Replace in the syncOptions, and probably ignore diff in aggregated cluster roles or use server side apply.
Also, to avoid ArgoCD's Dasbhoard to be polluted with Kyverno's reports, we should tell ArgoCD to ignore reports globally by adding them under the resource.exclusions stanza in the ArgoCD ConfigMap.
There was a problem hiding this comment.
Fixed in ed5b523.
Do you know where the configmap is controlled or if it can be overridden by infra-deployments? I see an owner reference to argocd on the live versions of it (probably from the helm chart behind openshift-gitops), but I don't find a reference to it in this repository.
There was a problem hiding this comment.
I'm not sure about it. @hugares @manish-jangra @bamachrn can you help here?
There was a problem hiding this comment.
I did not have time to look into this but the replace sync option is at the ArgoCD applications level so in infra-deployments. For the other "resource.exclusions", is it possible to also configure this at application level rather that globally?
There was a problem hiding this comment.
Filed https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/129507 for staging, will file a separate MR for prod. Local testing by both @filariow and myself seemed to indicate that this will be safe to add, even to clusters that won't have kyverno installed.
I didn't come across a way to do resource exclusions on a per-application basis.
Signed-off-by: Andy Sadler <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dperaza4dustbit, filariow, sadlerap The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Kyverno policies will be added in a future PR.