Merge pull request #110 from Pro/fix-kyverno

loosen kyverno policies due to #107
fluxcd · Jun 29, 2023 · ad1f1b2 · ad1f1b2
2 parents 4eb6299 + 5938ad4
commit ad1f1b2
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/infrastructure/kyverno-policies/verify-flux-images.yaml b/infrastructure/kyverno-policies/verify-flux-images.yaml
@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: verify-flux-images
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Audit
   background: false
   webhookTimeoutSeconds: 30
   failurePolicy: Fail
@@ -28,6 +28,7 @@ spec:
             - "docker.io/fluxcd/notification-controller:*"
             - "docker.io/fluxcd/image-reflector-controller:*"
             - "docker.io/fluxcd/image-automation-controller:*"
+          mutateDigest: false
           attestors:
             - entries:
                 - keyless:

diff --git a/infrastructure/kyverno-policies/verify-git-repositories.yaml b/infrastructure/kyverno-policies/verify-git-repositories.yaml
@@ -6,7 +6,7 @@ spec:
   # This provides users a working example of how an admin
   # would be able to enforce git repository sources across
   # all tenants.
-  validationFailureAction: audit # Change to 'enforce' once the specific org url is set.
+  validationFailureAction: Audit # Change to 'Enforce' once the specific org url is set.
   rules:
     - name: github-repositories-only
       exclude: