Skip to content

Add kyverno policy enforcement #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rmvangun merged 1 commit into from
Feb 5, 2025
Merged

Add kyverno policy enforcement #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions contexts/default/blueprint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,30 +17,45 @@ terraform:
- path: cluster/talos
- path: gitops/flux
kustomize:
- name: policy-base
path: policy/base
components:
- kyverno
- name: policy-resources
path: policy/resources
dependsOn:
- policy-base
- name: pki-base
path: pki/base
dependsOn:
- policy-resources
components:
- cert-manager
- name: pki-resources
path: pki/resources
dependsOn:
- pki-base
- policy-resources
components:
- public-issuer/selfsigned
- name: lb-base
path: lb/base
dependsOn:
- policy-resources
components:
- metallb
- name: lb-resources
path: lb/resources
dependsOn:
- lb-base
- policy-resources
components:
- metallb/layer2
- name: ingress-base
path: ingress/base
dependsOn:
- pki-resources
- policy-resources
components:
- nginx
- nginx/nodeport-web
Expand All @@ -49,5 +64,6 @@ kustomize:
path: gitops/flux
dependsOn:
- ingress-base
- policy-resources
components:
- webhook
2 changes: 2 additions & 0 deletions kustomize/policy/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- namespace.yaml
17 changes: 17 additions & 0 deletions kustomize/policy/base/kyverno/helm-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: kyverno
namespace: system-policy
spec:
interval: 5m
timeout: 5m
chart:
spec:
chart: kyverno
# renovate: datasource=helm depName=kyverno package=kyverno helmRepo=https://kyverno.github.io/kyverno/
version: 3.2.7
sourceRef:
kind: HelmRepository
name: kyverno
namespace: system-gitops
10 changes: 10 additions & 0 deletions kustomize/policy/base/kyverno/helm-repository.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: kyverno
namespace: system-gitops
spec:
interval: 10m
timeout: 3m
url: https://kyverno.github.io/kyverno
5 changes: 5 additions & 0 deletions kustomize/policy/base/kyverno/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
- helm-repository.yaml
- helm-release.yaml
9 changes: 9 additions & 0 deletions kustomize/policy/base/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: system-policy
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline
1 change: 1 addition & 0 deletions kustomize/policy/resources/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
resources: []
29 changes: 29 additions & 0 deletions kustomize/policy/resources/kyverno/basic/cluster-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: audit-resource-limits-requests
spec:
validationFailureAction: audit
background: false
rules:
- name: check-resource-limits-requests
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.namespace}}"
operator: NotEquals
value: "kube-system"
validate:
message: "Resource limits and requests must be set on all containers."
anyPattern:
- spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
4 changes: 4 additions & 0 deletions kustomize/policy/resources/kyverno/basic/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
- cluster-policies.yaml
3 changes: 3 additions & 0 deletions kustomize/policy/resources/kyverno/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources: []
Loading