Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'

This commit is contained in:
2025-03-30 15:46:16 -05:00
346 changed files with 11754 additions and 0 deletions

View File

@@ -0,0 +1,23 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
helmCharts:
- name: kyverno
version: 3.0.5
repo: https://kyverno.github.io/kyverno/
valuesFile: values.yaml
namespace: kyverno
releaseName: kyverno
# Delete kyverno PDB, not useful on SNO
patches:
- patch: |-
$patch: delete
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: kyverno-admission-controller
namespace: kyverno

View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: Kyverno Policy Engine
openshift.io/display-name: Kyverno
name: kyverno

View File

@@ -0,0 +1,269 @@
admissionController:
replicas: 3
antiAffinity:
# anti-affinity won't work on SNO
enabled: false
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
backgroundController:
replicas: 1
antiAffinity:
# anti-affinity won't work on SNO
enabled: false
cleanupController:
replicas: 1
antiAffinity:
# anti-affinity won't work on SNO
enabled: false
resources:
limits:
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
reportsController:
replicas: 1
antiAffinity:
# anti-affinity won't work on SNO
enabled: false
resources:
limits:
memory: 256Mi
cpu: 4000m
requests:
cpu: 100m
memory: 128Mi
crds:
install: true
annotations:
argocd.argoproj.io/sync-options: Validate=false,ServerSideApply=true
apiVersionOverride:
podDisruptionBudget: policy/v1
config:
resourceFilters:
- '[Event,*,*]'
- '[*/*,default,*]'
- '[*/*,kube-system,*]'
- '[*/*,kube-public,*]'
- '[*/*,kube-node-lease,*]'
- '[*/*,openshift,*]'
- '[*/*, openshift-*, *]'
- '[*/*,open-cluster-*,*]'
- '[*/*,hive,*]'
- '[*/*, multicluster-engine,*]'
- '[*/*,stackrox,*]'
- '[*/*,rhacs-operator,*]'
- '[*/*,costmanagement-metrics-operator,*]'
- '[Node,*,*]'
- '[Node/*,*,*]'
- '[APIService,*,*]'
- '[APIService/*,*,*]'
- '[TokenReview,*,*]'
- '[SubjectAccessReview,*,*]'
- '[SelfSubjectAccessReview,*,*]'
- '[Binding,*,*]'
- '[Pod/binding,*,*]'
- '[ReplicaSet,*,*]'
- '[ReplicaSet/*,*,*]'
- '[AdmissionReport,*,*]'
- '[AdmissionReport/*,*,*]'
- '[ClusterAdmissionReport,*,*]'
- '[ClusterAdmissionReport/*,*,*]'
- '[BackgroundScanReport,*,*]'
- '[BackgroundScanReport/*,*,*]'
- '[ClusterBackgroundScanReport,*,*]'
- '[ClusterBackgroundScanReport/*,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
webhooks:
# Exclude namespaces
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
# System namespaces
- default
- kyverno
- kube-system
- kube-node-lease
# OpenShift layered products
- assisted-installer
- cert-manager
- cert-manager-operator
- stackrox
- stackrox-secured-cluster-service
- rhacs-operator
- multicluster-engine
- open-cluster-management
- open-cluster-management-hub
- open-cluster-management-observability
- open-cluster-management-addon-observability
- open-cluster-management-agent
- open-cluster-management-agent-addon
- open-cluster-management-global-set
# Third Party
- external-secrets
# OpenShift namespaces
- openshift
- openshift-apiserver
- openshift-apiserver-operator
- openshift-authentication
- openshift-authentication-operator
- openshift-cloud-controller-manager
- openshift-cloud-controller-manager-operator
- openshift-cloud-credential-operator
- openshift-cloud-network-config-controller
- openshift-cluster-csi-drivers
- openshift-cluster-machine-approver
- openshift-cluster-node-tuning-operator
- openshift-cluster-samples-operator
- openshift-cluster-storage-operator
- openshift-cluster-version
- openshift-config
- openshift-config-managed
- openshift-config-operator
- openshift-console
- openshift-console-operator
- openshift-console-user-settings
- openshift-controller-manager
- openshift-controller-manager-operator
- openshift-dns
- openshift-dns-operator
- openshift-etcd
- openshift-etcd-operator
- openshift-gitops
- openshift-host-network
- openshift-image-registry
- openshift-infra
- openshift-ingress
- openshift-ingress-canary
- openshift-ingress-operator
- openshift-insights
- openshift-kni-infra
- openshift-kube-apiserver
- openshift-kube-apiserver-operator
- openshift-kube-controller-manager
- openshift-kube-controller-manager-operator
- openshift-kube-scheduler
- openshift-kube-scheduler-operator
- openshift-kube-storage-version-migrator
- openshift-kube-storage-version-migrator-operator
- openshift-machine-api
- openshift-machine-config-operator
- openshift-marketplace
- openshift-monitoring
- openshift-multus
- openshift-network-diagnostics
- openshift-network-operator
- openshift-node
- openshift-nutanix-infra
- openshift-oauth-apiserver
- openshift-openstack-infra
- openshift-operator-lifecycle-manager
- openshift-operators
- openshift-ovirt-infra
- openshift-ovn-kubernetes
- openshift-pipelines
- openshift-route-controller-manager
- openshift-service-ca
- openshift-service-ca-operator
- openshift-storage
- openshift-user-workload-monitoring
- openshift-vsphere-infra

View File

@@ -0,0 +1,64 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: annotate-argo-cd-external-link
annotations:
policies.kyverno.io/title: Annotate Route with Argo CD External Link
policies.kyverno.io/category: Argo
policies.kyverno.io/minversion: 1.0.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Route
policies.kyverno.io/description: >-
This policy adds an annotation to a route that will cause the Argo CD UI
to display an icon representing a clickable link for the route.
spec:
validationFailureAction: audit
rules:
- name: add-annotations-for-https
match:
any:
- resources:
kinds:
- route.openshift.io/v1/Route
operations:
- UPDATE
preconditions:
all:
- key: "{{ request.object.spec.host || '' }}"
operator: NotEquals
value: ""
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
operator: NotEquals
value: ""
- key: "{{ request.object.spec.tls.termination || '' }}"
operator: NotEquals
value: ""
mutate:
patchStrategicMerge:
metadata:
annotations:
+(link.argocd.argoproj.io/external-link): https://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}
- name: add-annotations-for-http
match:
any:
- resources:
kinds:
- route.openshift.io/v1/Route
operations:
- UPDATE
preconditions:
all:
- key: "{{ request.object.spec.host || '' }}"
operator: NotEquals
value: ""
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
operator: NotEquals
value: ""
- key: "{{ request.object.spec.tls.termination || '' }}"
operator: Equals
value: ""
mutate:
patchStrategicMerge:
metadata:
annotations:
+(link.argocd.argoproj.io/external-link): http://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}

View File

@@ -0,0 +1,57 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: application-field-validation
annotations:
policies.kyverno.io/title: Application Field Validation
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Application
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
This policy performs some best practices validation on Application fields.
Path or chart must be specified but never both. And destination.name or
destination.server must be specified but never both.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: source-path-chart
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
`spec.source.path` OR `spec.source.chart` should be specified but never both.
anyPattern:
- spec:
source:
path: '?*'
X(chart):
- spec:
source:
X(path):
chart: '?*'
- name: destination-server-name
match:
any:
- resources:
kinds:
- Application
validate:
message: >-
`spec.destination.server` OR `spec.destination.name` should be specified but never both.
anyPattern:
- spec:
destination:
server: '?*'
X(name):
- spec:
destination:
X(server):
name: '?*'

View File

@@ -0,0 +1,35 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: application-prevent-default-project
annotations:
policies.kyverno.io/title: Prevent Use of Default Project
policies.kyverno.io/category: Argo
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.2
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Application
policies.kyverno.io/description: >-
This policy prevents the use of the default project in an Application.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: default-project
match:
any:
- resources:
kinds:
- Application
preconditions:
all:
- key: "{{ request.operation }}"
operator: NotEquals
value: DELETE
validate:
message: "The default project may not be used in an Application."
pattern:
spec:
project: "!default"

View File

@@ -0,0 +1,119 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-deprecated-apis
annotations:
policies.kyverno.io/title: Check deprecated APIs
policies.kyverno.io/category: Best Practices
policies.kyverno.io/subject: Kubernetes APIs
kyverno.io/kyverno-version: 1.7.4
policies.kyverno.io/minversion: 1.7.4
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
Kubernetes APIs are sometimes deprecated and removed after a few releases.
As a best practice, older API versions should be replaced with newer versions.
This policy validates for APIs that are deprecated or scheduled for removal.
Note that checking for some of these resources may require modifying the Kyverno
ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
has been commented out due to a check for this kind having a performance penalty
on Kubernetes clusters with many leases. Its enabling should be attended carefully
and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
This policy requires Kyverno v1.7.4+ to function properly.
spec:
validationFailureAction: audit
background: true
rules:
- name: validate-v1-25-removals
match:
any:
- resources:
# NOTE: PodSecurityPolicy is completely removed in 1.25.
kinds:
- batch/*/CronJob
- discovery.k8s.io/*/EndpointSlice
- events.k8s.io/*/Event
- policy/*/PodDisruptionBudget
- node.k8s.io/*/RuntimeClass
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- batch/v1beta1
- discovery.k8s.io/v1beta1
- events.k8s.io/v1beta1
- policy/v1beta1
- node.k8s.io/v1beta1
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
- name: validate-v1-26-removals
match:
any:
- resources:
kinds:
- flowcontrol.apiserver.k8s.io/*/FlowSchema
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
- autoscaling/*/HorizontalPodAutoscaler
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- flowcontrol.apiserver.k8s.io/v1beta1
- autoscaling/v2beta2
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
- name: validate-v1-27-removals
match:
any:
- resources:
kinds:
- storage.k8s.io/*/CSIStorageCapacity
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- storage.k8s.io/v1beta1
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
- name: validate-v1-29-removals
match:
any:
- resources:
kinds:
- flowcontrol.apiserver.k8s.io/*/FlowSchema
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- flowcontrol.apiserver.k8s.io/v1beta2
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}

View File

@@ -0,0 +1,36 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-openshift-deprecated-apis
annotations:
policies.kyverno.io/title: Disallow deprecated APIs
policies.kyverno.io/category: OpenShift
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.20"
policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC
policies.kyverno.io/description: >-
OpenShift APIs are sometimes deprecated and removed after a few releases.
As a best practice, older API versions should be replaced with newer versions.
This policy validates for APIs that are deprecated or scheduled for removal.
Note that checking for some of these resources may require modifying the Kyverno
ConfigMap to remove filters.
spec:
validationFailureAction: enforce
failurePolicy: Ignore
background: false
rules:
- name: check-deprecated-apis
match:
any:
- resources:
kinds:
- authorization.openshift.io/v1/ClusterRole
- authorization.openshift.io/v1/ClusterRoleBinding
- authorization.openshift.io/v1/Role
- authorization.openshift.io/v1/RoleBinding
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated.
deny: {}

View File

@@ -0,0 +1,56 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-security-context-constraint-anyuid
annotations:
policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid
policies.kyverno.io/category: Security
policies.kyverno.io/severity: high
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.20"
policies.kyverno.io/subject: Role,ClusterRole
policies.kyverno.io/description: >-
Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: check-security-context-constraint
match:
any:
- resources:
kinds:
- ClusterRole
- Role
validate:
message: >-
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
foreach:
- list: request.object.rules[]
deny:
conditions:
all:
- key: anyuid
operator: AnyIn
value: "{{element.resourceNames[]}}"
- key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}"
operator: Equals
value: true
- name: check-security-context-roleref
match:
any:
- resources:
kinds:
- ClusterRoleBinding
- RoleBinding
validate:
message: >-
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
deny:
conditions:
all:
- key: system:openshift:scc:anyuid
operator: Equals
value: "{{request.object.roleRef.name}}"

View File

@@ -0,0 +1,34 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-jenkins-pipeline-strategy
annotations:
policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy
policies.kyverno.io/category: OpenShift
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.20"
policies.kyverno.io/subject: BuildConfig
policies.kyverno.io/description: >-
The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.
spec:
validationFailureAction: enforce
failurePolicy: Ignore
background: false
rules:
- name: check-build-strategy
match:
any:
- resources:
kinds:
- build.openshift.io/v1/BuildConfig
validate:
message: >-
Jenkins Pipeline Build Strategy has been deprecated and is not allowed
deny:
conditions:
all:
- key: "{{ keys(request.object.spec.strategy) | contains(@, 'jenkinsPipelineStrategy') }}"
operator: Equals
value: true

View File

@@ -0,0 +1,41 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/title: Disallow Latest Tag
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest`.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: require-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "An image tag is required."
pattern:
spec:
containers:
- image: "*:*"
- name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "Using a mutable image tag e.g. 'latest' is not allowed."
pattern:
spec:
containers:
- image: "!*:latest"

View File

@@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonAnnotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
resources:
- ../../base
- validate-probes-policy.yaml
- require-requests-limits-policy.yaml
- disallow-anyuid-scc-policy.yaml
- require-tls-routes.yaml
- check-deprecated-apis.yaml
- check-openshift-deprecated-apis.yaml
- disallow-latest-tag.yaml
- disallow-jenkins-pipeline-strategy.yaml
- application-prevent-default-project.yaml
- application-field-validation.yaml
# - annotate-route-argo-external-link.yaml

View File

@@ -0,0 +1,37 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-requests-limits
annotations:
policies.kyverno.io/title: Require Limits and Requests
policies.kyverno.io/category: Multi-Tenancy
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
As application workloads share cluster resources, it is important to limit resources
requested and consumed by each Pod. It is recommended to require resource requests and
limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
defaults will automatically be applied to each Pod based on the LimitRange configuration.
This policy validates that all containers have something specified for memory and CPU
requests and memory limits.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: validate-resources
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory resource requests and limits are required."
pattern:
spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"

View File

@@ -0,0 +1,39 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-routes
annotations:
policies.kyverno.io/title: Require TLS routes in OpenShift
policies.kyverno.io/category: OpenShift
policies.kyverno.io/severity: high
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.20"
policies.kyverno.io/subject: Route
policies.kyverno.io/description: |-
HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: require-tls-routes
match:
any:
- resources:
kinds:
- route.openshift.io/v1/Route
preconditions:
all:
- key: "{{ request.operation }}"
operator: NotEquals
value: ["DELETE"]
validate:
message: >-
HTTP routes are not allowed. Configure TLS for secure routes.
deny:
conditions:
all:
- key: "{{ keys(request.object.spec) | contains(@, 'tls') }}"
operator: Equals
value: false

View File

@@ -0,0 +1,37 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-pod-probes
annotations:
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
policies.kyverno.io/title: Require Pod Probes
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Liveness and readiness probes need to be configured to correctly manage a Pod's
lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
`livenessProbe` is performed by the kubelet to determine if the Pod's containers
are running or need to be restarted. A `readinessProbe` is used by Services
and Deployments to determine if the Pod is ready to receive network traffic.
This policy validates that all containers have liveness and readiness probes by
ensuring the `periodSeconds` field is greater than zero.
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
rules:
- name: validate-livenessProbe-readinessProbe
match:
resources:
kinds:
- Pod
validate:
message: "Liveness and readiness probes are required."
pattern:
spec:
containers:
- livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"

View File

@@ -0,0 +1,43 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-signed-image
annotations:
policies.kyverno.io/title: Verify Signed Images
policies.kyverno.io/category: Security
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Validates signed images against specified certificates
spec:
validationFailureAction: audit
failurePolicy: Ignore
background: false
webhookTimeoutSeconds: 30
rules:
- name: verify-image-quay-io-gnunn-client
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- image: "quay.io/gnunn/client:*"
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
-----END PUBLIC KEY-----
- name: verify-image-quay-io-gnunn-server
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- image: "quay.io/gnunn/server:*"
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
-----END PUBLIC KEY-----