update kyverno

soerenschneider · Oct 30, 2024 · 16c79c8 · 16c79c8
1 parent 4cb0e32
commit 16c79c8
Show file tree

Hide file tree

Showing 12 changed files with 97 additions and 31 deletions.
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-virtual-service-domain
+  annotations:
+    policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.4
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: VirtualService
+    policies.kyverno.io/description: >-
+      Virtual Services optionally accept a wildcard as an alternative
+      to precise matching. In some cases, this may be too permissive as it
+      would direct unintended traffic to the given resource. This
+      policy enforces that any Virtual Service host does not contain a wildcard
+      character and allows for more governance when a single mesh deployment
+      model is used.
+spec:
+  validationFailureAction: "enforce"
+  background: true
+  rules:
+    - name: "block-virtual-service-wildcard"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "VirtualService"
+      validate:
+        message: "Only VirtualService objects for the correct domain are allowed."
+        foreach:
+          - list: "request.object.spec.hosts"
+            deny:
+              conditions:
+                any:
+                  - key: "{{element}}"
+                    operator: NotEquals
+                    value: "*.ez.soeren.cloud"
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml
@@ -19,7 +19,7 @@ metadata:
       character and allows for more governance when a single mesh deployment
       model is used.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: block-virtual-service-wildcard

diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml
@@ -15,7 +15,7 @@ metadata:
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: check-for-labels

diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml
@@ -17,7 +17,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: validate-resources

diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml
@@ -16,7 +16,7 @@ metadata:
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: validate-readOnlyRootFilesystem

diff --git a/apps/kyverno/components/default-clusterpolicies/kustomization.yaml b/apps/kyverno/components/default-clusterpolicies/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
+  - cp-istio-virtualservice-correct-domain.yaml
   - cp-istio-virtualservice-nowildcards.yaml
   - cp-require-labels.yaml
   - cp-require-pod-requests-limits.yaml

diff --git a/apps/kyverno/helm-fan-out.sh b/apps/kyverno/helm-fan-out.sh
diff --git a/apps/kyverno/kustomization.yaml b/apps/kyverno/kustomization.yaml
@@ -1,3 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+resources:
+  - repo.yaml
+  - release.yaml
diff --git a/apps/kyverno/release.yaml b/apps/kyverno/release.yaml
@@ -0,0 +1,17 @@
+apiVersion: "helm.toolkit.fluxcd.io/v2"
+kind: "HelmRelease"
+metadata:
+  name: "kyverno"
+spec:
+  releaseName: "kyverno"
+  chart:
+    spec:
+      chart: "kyverno"
+      version: "2.6.0"
+      sourceRef:
+        kind: "HelmRepository"
+        name: "kyverno"
+  interval: "1h"
+  install:
+    remediation:
+      retries: 3
diff --git a/apps/kyverno/repo.yaml b/apps/kyverno/repo.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: kyverno
+spec:
+  interval: 1h
+  url: "https://kyverno.github.io/kyverno/"
diff --git a/clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml b/clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "kyverno"
+resources:
+  - "namespace.yaml"
+  - "../../../apps/kyverno"
+components:
+  - "../../../apps/kyverno/components/default-clusterpolicies"
+patches:
+  - target:
+      kind: ClusterPolicy
+      name: restrict-virtual-service-domain
+    patch: |
+      - op: replace
+        path: /spec/rules/0/validate/foreach/0/deny/conditions/any/0/value
+        value: "*.pt.soeren.cloud"
diff --git a/clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml b/clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: "Namespace"
+apiVersion: "v1"
+metadata:
+  name: "kyverno"
+  labels:
+    name: "kyverno"