Exclude base image validation in kube-system

mikkeloscar · mikkeloscar · commit e22b422d5aa3 · 2025-04-03T13:28:35.000+02:00
Signed-off-by: Mikkel Oscar Lyderik Larsen &lt;mikkel.larsen@zalando.de&gt;
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -609,6 +609,7 @@ kubelet_image_gc_low_threshold: 40
 {{if eq .Cluster.Environment "production"}}
 teapot_admission_controller_validate_application_label: "true"
 teapot_admission_controller_validate_base_images: "true"
+teapot_admission_controller_validate_base_images_namespaces: "^kube-system$"
 
 # Check container image compliance in production clusters. Be careful when thinking about changing this: Setting it to
 # false will allow any container image to run in production clusters.
@@ -629,7 +630,8 @@ teapot_admission_controller_namespace_delete_protection_enabled: "true"
 teapot_admission_controller_postgresql_owning_application_check_enabled: "true"
 {{else if eq .Cluster.Environment "e2e"}}
 teapot_admission_controller_validate_application_label: "false"
-teapot_admission_controller_validate_base_images: "false"
+teapot_admission_controller_validate_base_images: "true"
+teapot_admission_controller_validate_base_images_namespaces: "^kube-system|((downward-api|kubectl|projected|statefulset|pod-network|scope-selectors|resourcequota|limitrange|sysctl|node-tests|e2e-kubelet-etc-hosts|csiinlinevolumes|job|dns)-.*)$"
 
 # Check container image compliance in e2e clusters. There are some exceptions to allow the e2e test suite to run.
 teapot_admission_controller_validate_pod_images: "true"
