-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06…
…b992a.tgz kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/README.md kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/main.yaml kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/values.schema.json
- Loading branch information
1 parent
b759c57
commit 07901d9
Showing
5 changed files
with
374 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+6.08 KB
kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz
Binary file not shown.
133 changes: 133 additions & 0 deletions
133
...licy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| [](https://dl.circleci.com/status-badge/redirect/gh/giantswarm/kyverno-policy-operator/tree/main) | ||
|
|
||
| # kyverno-policy-operator chart | ||
|
|
||
| Giant Swarm offers a kyverno-policy-operator App which can be installed in workload clusters. | ||
| Here we define the kyverno-policy-operator chart with its templates and default configuration. | ||
|
|
||
| Kyverno Policy Operator reconciles the Giant Swarm PolicyException instances and creates the necessary Kyverno PolicyExceptions objects. | ||
|
|
||
| A Giant Swarm PolicyException consists of a list of Policies and Targets to be excluded from the Kyverno Policy Engine. Having a Giant Swarm PolicyException will ensure that workloads targeted by that policy won't be blocked during Admission time by Kyverno. | ||
|
|
||
| ### Sample Giant Swarm PolicyException: | ||
|
|
||
| In some cases, it may be necessary to exempt specific resources from the enforcement of Kyverno policies, such as `disallow-privilege-escalation` and `require-run-as-nonroot`. To achieve this, you can create a Giant Swarm PolicyException. Below is an example of how to exclude the `my-custom-operator` Deployment in the `default` namespace from these policies: | ||
|
|
||
| ```yaml | ||
| apiVersion: policy.giantswarm.io/v1alpha1 | ||
| kind: PolicyException | ||
| metadata: | ||
| name: my-custom-operator | ||
| namespace: policy-exceptions | ||
| spec: | ||
| policies: | ||
| - disallow-privilege-escalation | ||
| - require-run-as-nonroot | ||
| targets: | ||
| - kind: Deployment | ||
| names: | ||
| - my-custom-operator | ||
| namespaces: | ||
| - default | ||
| ``` | ||
| This Policy Exception configuration will be detected by the Kyverno Policy Operator, which will create a corresponding Kyverno Policy Exception resource: | ||
| ```yaml | ||
| apiVersion: kyverno.io/v2beta1 | ||
| kind: PolicyException | ||
| metadata: | ||
| labels: | ||
| app.kubernetes.io/managed-by: kyverno-policy-operator | ||
| name: my-custom-operator | ||
| namespace: policy-exceptions | ||
| (...) | ||
| spec: | ||
| background: false | ||
| exceptions: | ||
| - policyName: require-run-as-nonroot | ||
| ruleNames: | ||
| - run-as-non-root | ||
| - autogen-run-as-non-root | ||
| - autogen-cronjob-run-as-non-root | ||
| - policyName: disallow-privilege-escalation | ||
| ruleNames: | ||
| - privilege-escalation | ||
| - autogen-privilege-escalation | ||
| - autogen-cronjob-privilege-escalation | ||
| match: | ||
| any: | ||
| - resources: | ||
| kinds: | ||
| - Deployment | ||
| - ReplicaSet | ||
| - Pod | ||
| names: | ||
| - my-custom-operator* | ||
| namespaces: | ||
| - default | ||
| ``` | ||
| ## Installing | ||
| There are several ways to install this app onto a workload cluster. | ||
| - [Using GitOps to instantiate the App](https://docs.giantswarm.io/advanced/gitops/apps/) | ||
| - [Using our web interface](https://docs.giantswarm.io/platform-overview/web-interface/app-platform/#installing-an-app). | ||
| - By creating an [App resource](https://docs.giantswarm.io/use-the-api/management-api/crd/apps.application.giantswarm.io/) in the management cluster as explained in [Getting started with App Platform](https://docs.giantswarm.io/getting-started/app-platform/). | ||
| ## Configuring | ||
| ### values.yaml | ||
| **This is an example of a values file you could upload using our web interface.** | ||
| ```yaml | ||
| # Set the PolicyExceptions destination namespace | ||
| policyOperator: | ||
| destinationNamespace: "" | ||
| ``` | ||
| ### Sample App CR and ConfigMap for the management cluster | ||
| If you have access to the Kubernetes API on the management cluster, you could create | ||
| the App CR and ConfigMap directly. | ||
| Here is an example that would install the app to | ||
| workload cluster `abc12`: | ||
|
|
||
| ```yaml | ||
| # appCR.yaml | ||
| apiVersion: application.giantswarm.io/v1alpha1 | ||
| kind: App | ||
| metadata: | ||
| name: kyverno-policy-operator | ||
| namespace: demo01 | ||
| spec: | ||
| catalog: giantswarm-playground-test | ||
| config: | ||
| configMap: | ||
| name: demo01-cluster-values | ||
| namespace: demo01 | ||
| name: kyverno-policy-operator | ||
| namespace: kyverno-policy-operator | ||
| version: 0.0.1 | ||
| ``` | ||
|
|
||
| ```yaml | ||
| # user-values-configmap.yaml | ||
| policyOperator: | ||
| destinationNamespace: "policy-exceptions" | ||
| ``` | ||
|
|
||
| See our [full reference on how to configure apps](https://docs.giantswarm.io/getting-started/app-platform/app-configuration/) for more details. | ||
|
|
||
| ## Compatibility | ||
|
|
||
| This app has been tested to work with the following workload cluster release versions: | ||
|
|
||
| - v19.1.0 | ||
|
|
||
| ## Limitations | ||
|
|
||
| This App needs Kyverno App [v0.15+](https://github.com/giantswarm/kyverno-app) to be installed in the cluster. |
11 changes: 11 additions & 0 deletions
11
kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/main.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| annotations: | ||
| application.giantswarm.io/metadata: https://giantswarm.github.io/giantswarm-test-catalog/kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/main.yaml | ||
| application.giantswarm.io/readme: https://giantswarm.github.io/giantswarm-test-catalog/kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/README.md | ||
| application.giantswarm.io/team: shield | ||
| application.giantswarm.io/values-schema: https://giantswarm.github.io/giantswarm-test-catalog/kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/values.schema.json | ||
| chartApiVersion: v2 | ||
| chartFile: kyverno-policy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz | ||
| dateCreated: '2025-01-16T07:03:25.697130Z' | ||
| digest: 29317d4b8b337e164404f48a88a3c38ec8422d238cc96926dabff53594137faf | ||
| home: https://github.com/giantswarm/kyverno-policy-operator | ||
| icon: https://s.giantswarm.io/app-icons/giantswarm/1/light.svg |
212 changes: 212 additions & 0 deletions
212
...olicy-operator-0.0.7-2b74cbf8a6e4ba50475c719d3fbf5566e06b992a.tgz-meta/values.schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,212 @@ | ||
| { | ||
| "$schema": "http://json-schema.org/schema#", | ||
| "type": "object", | ||
| "properties": { | ||
| "ciliumNetworkPolicy": { | ||
| "type": "object", | ||
| "properties": { | ||
| "enabled": { | ||
| "type": "boolean" | ||
| } | ||
| } | ||
| }, | ||
| "containerSecurityContext": { | ||
| "type": "object", | ||
| "properties": { | ||
| "allowPrivilegeEscalation": { | ||
| "type": "boolean" | ||
| }, | ||
| "capabilities": { | ||
| "type": "object", | ||
| "properties": { | ||
| "drop": { | ||
| "type": "array", | ||
| "items": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "privileged": { | ||
| "type": "boolean" | ||
| }, | ||
| "readOnlyRootFilesystem": { | ||
| "type": "boolean" | ||
| }, | ||
| "runAsNonRoot": { | ||
| "type": "boolean" | ||
| }, | ||
| "seccompProfile": { | ||
| "type": "object", | ||
| "properties": { | ||
| "type": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "crds": { | ||
| "type": "object", | ||
| "properties": { | ||
| "image": { | ||
| "type": "object", | ||
| "properties": { | ||
| "tag": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| }, | ||
| "install": { | ||
| "type": "boolean" | ||
| }, | ||
| "resources": { | ||
| "type": "object", | ||
| "properties": { | ||
| "limits": { | ||
| "type": "object", | ||
| "properties": { | ||
| "cpu": { | ||
| "type": "string" | ||
| }, | ||
| "memory": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| }, | ||
| "requests": { | ||
| "type": "object", | ||
| "properties": { | ||
| "cpu": { | ||
| "type": "string" | ||
| }, | ||
| "memory": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "global": { | ||
| "type": "object", | ||
| "properties": { | ||
| "image": { | ||
| "type": "object", | ||
| "properties": { | ||
| "registry": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| }, | ||
| "podSecurityStandards": { | ||
| "type": "object", | ||
| "properties": { | ||
| "enforced": { | ||
| "type": "boolean" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "image": { | ||
| "type": "object", | ||
| "properties": { | ||
| "name": { | ||
| "type": "string" | ||
| }, | ||
| "pullPolicy": { | ||
| "type": "string" | ||
| }, | ||
| "registry": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| }, | ||
| "name": { | ||
| "type": "string" | ||
| }, | ||
| "nodeSelector": { | ||
| "type": "object" | ||
| }, | ||
| "podLabels": { | ||
| "type": "object" | ||
| }, | ||
| "podSecurityContext": { | ||
| "type": "object", | ||
| "properties": { | ||
| "readOnlyRootFilesystem": { | ||
| "type": "boolean" | ||
| }, | ||
| "runAsGroup": { | ||
| "type": "integer" | ||
| }, | ||
| "runAsNonRoot": { | ||
| "type": "boolean" | ||
| }, | ||
| "runAsUser": { | ||
| "type": "integer" | ||
| }, | ||
| "seccompProfile": { | ||
| "type": "object", | ||
| "properties": { | ||
| "type": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "policyOperator": { | ||
| "type": "object", | ||
| "properties": { | ||
| "chartOperatorExceptionKinds": { | ||
| "type": "array", | ||
| "items": { | ||
| "type": "string" | ||
| } | ||
| }, | ||
| "destinationNamespace": { | ||
| "type": "string" | ||
| }, | ||
| "exceptionBackgroundMode": { | ||
| "type": "boolean" | ||
| } | ||
| } | ||
| }, | ||
| "resources": { | ||
| "type": "object", | ||
| "properties": { | ||
| "limits": { | ||
| "type": "object", | ||
| "properties": { | ||
| "cpu": { | ||
| "type": "string" | ||
| }, | ||
| "memory": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| }, | ||
| "requests": { | ||
| "type": "object", | ||
| "properties": { | ||
| "cpu": { | ||
| "type": "string" | ||
| }, | ||
| "memory": { | ||
| "type": "string" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "serviceType": { | ||
| "type": "string" | ||
| }, | ||
| "tolerations": { | ||
| "type": "array" | ||
| } | ||
| } | ||
| } |