search

azimuth-cloud / capi-helm-charts

Apache License 2.0
17 stars 22 forks source link

Add Kyverno policy engine addon : Approach #2 #455

Open scrungus opened 6 days ago

scrungus commented 4 days ago 
{{- if .Values.kyvernoPolicies.enabled }}
---
apiVersion: addons.stackhpc.com/v1alpha1
kind: Manifests
metadata:
  name: {{ include "cluster-addons.componentName" (list . "kyverno") }}-pod-security-rules
  labels: {{ include "cluster-addons.componentLabels" (list . "kyverno") | nindent 4 }}
  annotations:
    # Tell Argo to ignore the non-controller owner references for this object
    argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true"
spec:
  clusterName: {{ include "cluster-addons.clusterName" . }}
  bootstrap: true
  targetNamespace: {{ .Values.kyverno.release.namespace }}
  releaseName: kyverno
  manifestSources:
    # Apply Restricted Pod Security Standard
    # NOTE(tylerchristie): Any new system namespaces will need to be added to the 
    # exclude filter of the ruleset.
    - template: |
        apiVersion: kyverno.io/v1
        kind: ClusterPolicy
        metadata:
          name: podsecurity-subrule-restricted
          annotations:
            policies.kyverno.io/title: Restricted Pod Security Standards
            policies.kyverno.io/category: Pod Security, EKS Best Practices
            policies.kyverno.io/severity: medium
            kyverno.io/kyverno-version: {{ .Values.kyverno.chart.version }}
            policies.kyverno.io/minversion: 1.8.0
            kyverno.io/kubernetes-version: "{{ .Values.kubernetesVersion }}"
            policies.kyverno.io/subject: Pod
            policies.kyverno.io/description: >-
              The restricted profile of the Pod Security Standards, which is inclusive of
              the baseline profile, is a collection of all the most common configurations
              that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
              may be assigned to the cluster through a single rule. This policy configures the
              restricted profile through the latest version of the Pod Security Standards cluster wide.      
        spec:
          background: true
          validationFailureAction: Audit
          rules:
          - name: restricted
            match:
              any:
              - resources:
                  kinds:
                  - Pod
            validate:
              podSecurity:
                level: restricted
                version: latest
{{- end }}

pod security rules. when these are applied, the cluster doesn't come up. after investigating with devstack it seems like the kyverno pods will come up, and then immediately get uninstalled by helm. needs further investigation.