feat: add namespace selector for skipping admission

Signed-off-by: i502474 <[email protected]>
IBM · Oct 30, 2023 · 3e07003 · 3e07003
1 parent 590a15a
commit 3e07003
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/helm/portieris/templates/webhooks.yaml b/helm/portieris/templates/webhooks.yaml
@@ -67,15 +67,21 @@ webhooks:
     failurePolicy: {{ .Values.webHooks.failurePolicy }}
     sideEffects: None
     admissionReviewVersions: ["v1"]
-    {{ if .Values.AllowAdmissionSkip }}
+    {{- if or (.Values.AllowAdmissionSkip) (.Values.NamespaceSelectorAdmissionSkip) }}
     namespaceSelector:
       matchExpressions:
+      {{- if .Values.AllowAdmissionSkip}}
       - key: securityenforcement.admission.cloud.ibm.com/namespace
         operator: NotIn
         values:
         - skip
-    {{ end }}
+      {{- end }}
+
+      {{- with .Values.NamespaceSelectorAdmissionSkip }}
+{{ toYaml . | indent 6 }}
+      {{- end }}
+    {{- end }}
     {{ if .Values.ObjectSelectorAdmissionSkip }}
     objectSelector:
 {{ toYaml .Values.ObjectSelectorAdmissionSkip | indent 6 }}
-    {{ end }}
+    {{ end }}
diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml
@@ -109,6 +109,12 @@ ObjectSelectorAdmissionSkip:
     #     values:
     #     - xxxx
 
+NamespaceSelectorAdmissionSkip:
+  #- key: kubernetes.io/metadata.name
+  #  operator: NotIn
+  #  values:
+  #    - kube-system
+
 clusterPolicy:
   allowedRepositories:
     # This permissive policy allows all images in namespaces which do not have an ImagePolicy.