added openshift-ovn-kubernetes ns

yjst2012 · yjst2012 · commit cadb15a921f4 · 2025-03-04T16:39:06.000+13:00
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego
@@ -59,17 +59,14 @@ is_priv_namespace(ns) = true {
 exempted_user = {
   "system:kube-controller-manager",
   "system:kube-scheduler",
-  "system:admin" # comment out temporarily for testing in console
+  "system:admin"
 }
 
 exempted_groups = {
   # "system:cluster-admins", # dont allow kube:admin
-  "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-  "system:serviceaccounts", # to allow all system service account?
-  # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-  # "system:serviceaccounts:openshift-network-operator", # network operator
-  # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-  "system:masters" # system:admin
+  "system:nodes",
+  "system:serviceaccounts", # allow all system service accounts
+  "system:masters"
 }
 privileged_ns = {
   # Kubernetes specific namespaces
@@ -116,7 +113,8 @@ privileged_ns = {
   "openshift-multus",
   "openshift-network-operator",
   "openshift-oauth-apiserver",
+  "openshift-ovn-kubernetes",
+  "openshift-sdn",
   "openshift-service-ca",
-  "openshift-service-ca-operator",
-  "openshift-sdn"
+  "openshift-service-ca-operator"
 }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml
@@ -87,17 +87,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -144,7 +141,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml
@@ -92,17 +92,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -149,7 +146,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml
@@ -111,17 +111,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -168,7 +165,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -109,17 +109,14 @@ spec:
           exempted_user = {
             "system:kube-controller-manager",
             "system:kube-scheduler",
-            "system:admin" # comment out temporarily for testing in console
+            "system:admin"
           }
 
           exempted_groups = {
             # "system:cluster-admins", # dont allow kube:admin
-            "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2"
-            "system:serviceaccounts", # to allow all system service account?
-            # "system:serviceaccounts:openshift-monitoring", # monitoring operator
-            # "system:serviceaccounts:openshift-network-operator", # network operator
-            # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
-            "system:masters" # system:admin
+            "system:nodes",
+            "system:serviceaccounts", # allow all system service accounts
+            "system:masters"
           }
           privileged_ns = {
             # Kubernetes specific namespaces
@@ -166,7 +163,8 @@ spec:
             "openshift-multus",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
+            "openshift-ovn-kubernetes",
+            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator",
-            "openshift-sdn"
+            "openshift-service-ca-operator"
           }
