Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'
This commit is contained in:
23
cluster-config/components/kyverno/base/kustomization.yaml
Normal file
23
cluster-config/components/kyverno/base/kustomization.yaml
Normal file
@@ -0,0 +1,23 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: kyverno
|
||||
version: 3.0.5
|
||||
repo: https://kyverno.github.io/kyverno/
|
||||
valuesFile: values.yaml
|
||||
namespace: kyverno
|
||||
releaseName: kyverno
|
||||
|
||||
# Delete kyverno PDB, not useful on SNO
|
||||
patches:
|
||||
- patch: |-
|
||||
$patch: delete
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: kyverno-admission-controller
|
||||
namespace: kyverno
|
||||
7
cluster-config/components/kyverno/base/namespace.yaml
Normal file
7
cluster-config/components/kyverno/base/namespace.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
annotations:
|
||||
openshift.io/description: Kyverno Policy Engine
|
||||
openshift.io/display-name: Kyverno
|
||||
name: kyverno
|
||||
269
cluster-config/components/kyverno/base/values.yaml
Normal file
269
cluster-config/components/kyverno/base/values.yaml
Normal file
@@ -0,0 +1,269 @@
|
||||
admissionController:
|
||||
replicas: 3
|
||||
antiAffinity:
|
||||
# anti-affinity won't work on SNO
|
||||
enabled: false
|
||||
resources:
|
||||
limits:
|
||||
memory: 512Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
|
||||
backgroundController:
|
||||
replicas: 1
|
||||
antiAffinity:
|
||||
# anti-affinity won't work on SNO
|
||||
enabled: false
|
||||
|
||||
cleanupController:
|
||||
replicas: 1
|
||||
antiAffinity:
|
||||
# anti-affinity won't work on SNO
|
||||
enabled: false
|
||||
resources:
|
||||
limits:
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
|
||||
reportsController:
|
||||
replicas: 1
|
||||
antiAffinity:
|
||||
# anti-affinity won't work on SNO
|
||||
enabled: false
|
||||
resources:
|
||||
limits:
|
||||
memory: 256Mi
|
||||
cpu: 4000m
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
|
||||
crds:
|
||||
install: true
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
|
||||
|
||||
apiVersionOverride:
|
||||
podDisruptionBudget: policy/v1
|
||||
|
||||
config:
|
||||
resourceFilters:
|
||||
- '[Event,*,*]'
|
||||
- '[*/*,default,*]'
|
||||
- '[*/*,kube-system,*]'
|
||||
- '[*/*,kube-public,*]'
|
||||
- '[*/*,kube-node-lease,*]'
|
||||
- '[*/*,openshift,*]'
|
||||
- '[*/*, openshift-*, *]'
|
||||
- '[*/*,open-cluster-*,*]'
|
||||
- '[*/*,hive,*]'
|
||||
- '[*/*, multicluster-engine,*]'
|
||||
- '[*/*,stackrox,*]'
|
||||
- '[*/*,rhacs-operator,*]'
|
||||
- '[*/*,costmanagement-metrics-operator,*]'
|
||||
- '[Node,*,*]'
|
||||
- '[Node/*,*,*]'
|
||||
- '[APIService,*,*]'
|
||||
- '[APIService/*,*,*]'
|
||||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
- '[Binding,*,*]'
|
||||
- '[Pod/binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[ReplicaSet/*,*,*]'
|
||||
- '[AdmissionReport,*,*]'
|
||||
- '[AdmissionReport/*,*,*]'
|
||||
- '[ClusterAdmissionReport,*,*]'
|
||||
- '[ClusterAdmissionReport/*,*,*]'
|
||||
- '[BackgroundScanReport,*,*]'
|
||||
- '[BackgroundScanReport/*,*,*]'
|
||||
- '[ClusterBackgroundScanReport,*,*]'
|
||||
- '[ClusterBackgroundScanReport/*,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
|
||||
webhooks:
|
||||
# Exclude namespaces
|
||||
- namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/metadata.name
|
||||
operator: NotIn
|
||||
values:
|
||||
# System namespaces
|
||||
- default
|
||||
- kyverno
|
||||
- kube-system
|
||||
- kube-node-lease
|
||||
# OpenShift layered products
|
||||
- assisted-installer
|
||||
- cert-manager
|
||||
- cert-manager-operator
|
||||
- stackrox
|
||||
- stackrox-secured-cluster-service
|
||||
- rhacs-operator
|
||||
- multicluster-engine
|
||||
- open-cluster-management
|
||||
- open-cluster-management-hub
|
||||
- open-cluster-management-observability
|
||||
- open-cluster-management-addon-observability
|
||||
- open-cluster-management-agent
|
||||
- open-cluster-management-agent-addon
|
||||
- open-cluster-management-global-set
|
||||
# Third Party
|
||||
- external-secrets
|
||||
# OpenShift namespaces
|
||||
- openshift
|
||||
- openshift-apiserver
|
||||
- openshift-apiserver-operator
|
||||
- openshift-authentication
|
||||
- openshift-authentication-operator
|
||||
- openshift-cloud-controller-manager
|
||||
- openshift-cloud-controller-manager-operator
|
||||
- openshift-cloud-credential-operator
|
||||
- openshift-cloud-network-config-controller
|
||||
- openshift-cluster-csi-drivers
|
||||
- openshift-cluster-machine-approver
|
||||
- openshift-cluster-node-tuning-operator
|
||||
- openshift-cluster-samples-operator
|
||||
- openshift-cluster-storage-operator
|
||||
- openshift-cluster-version
|
||||
- openshift-config
|
||||
- openshift-config-managed
|
||||
- openshift-config-operator
|
||||
- openshift-console
|
||||
- openshift-console-operator
|
||||
- openshift-console-user-settings
|
||||
- openshift-controller-manager
|
||||
- openshift-controller-manager-operator
|
||||
- openshift-dns
|
||||
- openshift-dns-operator
|
||||
- openshift-etcd
|
||||
- openshift-etcd-operator
|
||||
- openshift-gitops
|
||||
- openshift-host-network
|
||||
- openshift-image-registry
|
||||
- openshift-infra
|
||||
- openshift-ingress
|
||||
- openshift-ingress-canary
|
||||
- openshift-ingress-operator
|
||||
- openshift-insights
|
||||
- openshift-kni-infra
|
||||
- openshift-kube-apiserver
|
||||
- openshift-kube-apiserver-operator
|
||||
- openshift-kube-controller-manager
|
||||
- openshift-kube-controller-manager-operator
|
||||
- openshift-kube-scheduler
|
||||
- openshift-kube-scheduler-operator
|
||||
- openshift-kube-storage-version-migrator
|
||||
- openshift-kube-storage-version-migrator-operator
|
||||
- openshift-machine-api
|
||||
- openshift-machine-config-operator
|
||||
- openshift-marketplace
|
||||
- openshift-monitoring
|
||||
- openshift-multus
|
||||
- openshift-network-diagnostics
|
||||
- openshift-network-operator
|
||||
- openshift-node
|
||||
- openshift-nutanix-infra
|
||||
- openshift-oauth-apiserver
|
||||
- openshift-openstack-infra
|
||||
- openshift-operator-lifecycle-manager
|
||||
- openshift-operators
|
||||
- openshift-ovirt-infra
|
||||
- openshift-ovn-kubernetes
|
||||
- openshift-pipelines
|
||||
- openshift-route-controller-manager
|
||||
- openshift-service-ca
|
||||
- openshift-service-ca-operator
|
||||
- openshift-storage
|
||||
- openshift-user-workload-monitoring
|
||||
- openshift-vsphere-infra
|
||||
@@ -0,0 +1,64 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: annotate-argo-cd-external-link
|
||||
annotations:
|
||||
policies.kyverno.io/title: Annotate Route with Argo CD External Link
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/minversion: 1.0.0
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Route
|
||||
policies.kyverno.io/description: >-
|
||||
This policy adds an annotation to a route that will cause the Argo CD UI
|
||||
to display an icon representing a clickable link for the route.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
rules:
|
||||
- name: add-annotations-for-https
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
operations:
|
||||
- UPDATE
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.object.spec.host || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.spec.tls.termination || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(link.argocd.argoproj.io/external-link): https://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}
|
||||
- name: add-annotations-for-http
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
operations:
|
||||
- UPDATE
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.object.spec.host || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.spec.tls.termination || '' }}"
|
||||
operator: Equals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(link.argocd.argoproj.io/external-link): http://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}
|
||||
@@ -0,0 +1,57 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: application-field-validation
|
||||
annotations:
|
||||
policies.kyverno.io/title: Application Field Validation
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Application
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
This policy performs some best practices validation on Application fields.
|
||||
Path or chart must be specified but never both. And destination.name or
|
||||
destination.server must be specified but never both.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: source-path-chart
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
validate:
|
||||
message: >-
|
||||
`spec.source.path` OR `spec.source.chart` should be specified but never both.
|
||||
anyPattern:
|
||||
- spec:
|
||||
source:
|
||||
path: '?*'
|
||||
X(chart):
|
||||
- spec:
|
||||
source:
|
||||
X(path):
|
||||
chart: '?*'
|
||||
- name: destination-server-name
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
validate:
|
||||
message: >-
|
||||
`spec.destination.server` OR `spec.destination.name` should be specified but never both.
|
||||
anyPattern:
|
||||
- spec:
|
||||
destination:
|
||||
server: '?*'
|
||||
X(name):
|
||||
- spec:
|
||||
destination:
|
||||
X(server):
|
||||
name: '?*'
|
||||
@@ -0,0 +1,35 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: application-prevent-default-project
|
||||
annotations:
|
||||
policies.kyverno.io/title: Prevent Use of Default Project
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.2
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/subject: Application
|
||||
policies.kyverno.io/description: >-
|
||||
This policy prevents the use of the default project in an Application.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: default-project
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validate:
|
||||
message: "The default project may not be used in an Application."
|
||||
pattern:
|
||||
spec:
|
||||
project: "!default"
|
||||
@@ -0,0 +1,119 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-deprecated-apis
|
||||
annotations:
|
||||
policies.kyverno.io/title: Check deprecated APIs
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/subject: Kubernetes APIs
|
||||
kyverno.io/kyverno-version: 1.7.4
|
||||
policies.kyverno.io/minversion: 1.7.4
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Kubernetes APIs are sometimes deprecated and removed after a few releases.
|
||||
As a best practice, older API versions should be replaced with newer versions.
|
||||
This policy validates for APIs that are deprecated or scheduled for removal.
|
||||
Note that checking for some of these resources may require modifying the Kyverno
|
||||
ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
|
||||
has been commented out due to a check for this kind having a performance penalty
|
||||
on Kubernetes clusters with many leases. Its enabling should be attended carefully
|
||||
and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
|
||||
so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
|
||||
This policy requires Kyverno v1.7.4+ to function properly.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: validate-v1-25-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
# NOTE: PodSecurityPolicy is completely removed in 1.25.
|
||||
kinds:
|
||||
- batch/*/CronJob
|
||||
- discovery.k8s.io/*/EndpointSlice
|
||||
- events.k8s.io/*/Event
|
||||
- policy/*/PodDisruptionBudget
|
||||
- node.k8s.io/*/RuntimeClass
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- batch/v1beta1
|
||||
- discovery.k8s.io/v1beta1
|
||||
- events.k8s.io/v1beta1
|
||||
- policy/v1beta1
|
||||
- node.k8s.io/v1beta1
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-26-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- flowcontrol.apiserver.k8s.io/*/FlowSchema
|
||||
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
|
||||
- autoscaling/*/HorizontalPodAutoscaler
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- flowcontrol.apiserver.k8s.io/v1beta1
|
||||
- autoscaling/v2beta2
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-27-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- storage.k8s.io/*/CSIStorageCapacity
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- storage.k8s.io/v1beta1
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-29-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- flowcontrol.apiserver.k8s.io/*/FlowSchema
|
||||
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- flowcontrol.apiserver.k8s.io/v1beta2
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
@@ -0,0 +1,36 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-openshift-deprecated-apis
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow deprecated APIs
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC
|
||||
policies.kyverno.io/description: >-
|
||||
OpenShift APIs are sometimes deprecated and removed after a few releases.
|
||||
As a best practice, older API versions should be replaced with newer versions.
|
||||
This policy validates for APIs that are deprecated or scheduled for removal.
|
||||
Note that checking for some of these resources may require modifying the Kyverno
|
||||
ConfigMap to remove filters.
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-deprecated-apis
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- authorization.openshift.io/v1/ClusterRole
|
||||
- authorization.openshift.io/v1/ClusterRoleBinding
|
||||
- authorization.openshift.io/v1/Role
|
||||
- authorization.openshift.io/v1/RoleBinding
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated.
|
||||
deny: {}
|
||||
@@ -0,0 +1,56 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-security-context-constraint-anyuid
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/severity: high
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: Role,ClusterRole
|
||||
policies.kyverno.io/description: >-
|
||||
Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-security-context-constraint
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ClusterRole
|
||||
- Role
|
||||
validate:
|
||||
message: >-
|
||||
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
|
||||
foreach:
|
||||
- list: request.object.rules[]
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: anyuid
|
||||
operator: AnyIn
|
||||
value: "{{element.resourceNames[]}}"
|
||||
- key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
- name: check-security-context-roleref
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ClusterRoleBinding
|
||||
- RoleBinding
|
||||
validate:
|
||||
message: >-
|
||||
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: system:openshift:scc:anyuid
|
||||
operator: Equals
|
||||
value: "{{request.object.roleRef.name}}"
|
||||
@@ -0,0 +1,34 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-jenkins-pipeline-strategy
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: BuildConfig
|
||||
policies.kyverno.io/description: >-
|
||||
The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-build-strategy
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- build.openshift.io/v1/BuildConfig
|
||||
validate:
|
||||
message: >-
|
||||
Jenkins Pipeline Build Strategy has been deprecated and is not allowed
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ keys(request.object.spec.strategy) | contains(@, 'jenkinsPipelineStrategy') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
@@ -0,0 +1,41 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow Latest Tag
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
The ':latest' tag is mutable and can lead to unexpected errors if the
|
||||
image changes. A best practice is to use an immutable tag that maps to
|
||||
a specific version of an application Pod. This policy validates that the image
|
||||
specifies a tag and that it is not called `latest`.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: require-image-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "An image tag is required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
||||
- name: validate-image-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Using a mutable image tag e.g. 'latest' is not allowed."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "!*:latest"
|
||||
@@ -0,0 +1,19 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/compare-options: IgnoreExtraneous
|
||||
|
||||
resources:
|
||||
- ../../base
|
||||
- validate-probes-policy.yaml
|
||||
- require-requests-limits-policy.yaml
|
||||
- disallow-anyuid-scc-policy.yaml
|
||||
- require-tls-routes.yaml
|
||||
- check-deprecated-apis.yaml
|
||||
- check-openshift-deprecated-apis.yaml
|
||||
- disallow-latest-tag.yaml
|
||||
- disallow-jenkins-pipeline-strategy.yaml
|
||||
- application-prevent-default-project.yaml
|
||||
- application-field-validation.yaml
|
||||
# - annotate-route-argo-external-link.yaml
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-requests-limits
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require Limits and Requests
|
||||
policies.kyverno.io/category: Multi-Tenancy
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
As application workloads share cluster resources, it is important to limit resources
|
||||
requested and consumed by each Pod. It is recommended to require resource requests and
|
||||
limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
|
||||
defaults will automatically be applied to each Pod based on the LimitRange configuration.
|
||||
This policy validates that all containers have something specified for memory and CPU
|
||||
requests and memory limits.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: validate-resources
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "CPU and memory resource requests and limits are required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- resources:
|
||||
requests:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
limits:
|
||||
memory: "?*"
|
||||
@@ -0,0 +1,39 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-routes
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require TLS routes in OpenShift
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: high
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: Route
|
||||
policies.kyverno.io/description: |-
|
||||
HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: require-tls-routes
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: NotEquals
|
||||
value: ["DELETE"]
|
||||
validate:
|
||||
message: >-
|
||||
HTTP routes are not allowed. Configure TLS for secure routes.
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ keys(request.object.spec) | contains(@, 'tls') }}"
|
||||
operator: Equals
|
||||
value: false
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-probes
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
|
||||
policies.kyverno.io/title: Require Pod Probes
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Liveness and readiness probes need to be configured to correctly manage a Pod's
|
||||
lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
|
||||
`livenessProbe` is performed by the kubelet to determine if the Pod's containers
|
||||
are running or need to be restarted. A `readinessProbe` is used by Services
|
||||
and Deployments to determine if the Pod is ready to receive network traffic.
|
||||
This policy validates that all containers have liveness and readiness probes by
|
||||
ensuring the `periodSeconds` field is greater than zero.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: validate-livenessProbe-readinessProbe
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Liveness and readiness probes are required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- livenessProbe:
|
||||
periodSeconds: ">0"
|
||||
readinessProbe:
|
||||
periodSeconds: ">0"
|
||||
@@ -0,0 +1,43 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: verify-signed-image
|
||||
annotations:
|
||||
policies.kyverno.io/title: Verify Signed Images
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/severity: high
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Validates signed images against specified certificates
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: verify-image-quay-io-gnunn-client
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- image: "quay.io/gnunn/client:*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
|
||||
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
|
||||
-----END PUBLIC KEY-----
|
||||
- name: verify-image-quay-io-gnunn-server
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- image: "quay.io/gnunn/server:*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
|
||||
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
|
||||
-----END PUBLIC KEY-----
|
||||
Reference in New Issue
Block a user