From 16c79c8697afb07a68615cc2847da87024190414 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Schneider?=
 <56670304+soerenschneider@users.noreply.github.com>
Date: Wed, 30 Oct 2024 17:08:54 +0000
Subject: [PATCH] update kyverno

---
 ...p-istio-virtualservice-correct-domain.yaml | 40 +++++++++++++++++++
 .../cp-istio-virtualservice-nowildcards.yaml  |  2 +-
 .../cp-require-labels.yaml                    |  2 +-
 .../cp-require-pod-requests-limits.yaml       |  2 +-
 .../cp-require-ro-rootfs.yaml                 |  2 +-
 .../kustomization.yaml                        |  1 +
 apps/kyverno/helm-fan-out.sh                  | 27 -------------
 apps/kyverno/kustomization.yaml               |  3 ++
 apps/kyverno/release.yaml                     | 17 ++++++++
 apps/kyverno/repo.yaml                        |  8 ++++
 .../kyverno/kustomization.yaml                | 17 ++++++++
 .../kyverno/namespace.yaml                    |  7 ++++
 12 files changed, 97 insertions(+), 31 deletions(-)
 create mode 100644 apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml
 delete mode 100755 apps/kyverno/helm-fan-out.sh
 create mode 100644 apps/kyverno/release.yaml
 create mode 100644 apps/kyverno/repo.yaml
 create mode 100644 clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml
 create mode 100644 clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml

diff --git a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml
new file mode 100644
index 00000000..d618a3d9
--- /dev/null
+++ b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-virtual-service-domain
+  annotations:
+    policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards
+    policies.kyverno.io/category: Istio
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.8.4
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: VirtualService
+    policies.kyverno.io/description: >-
+      Virtual Services optionally accept a wildcard as an alternative
+      to precise matching. In some cases, this may be too permissive as it
+      would direct unintended traffic to the given resource. This
+      policy enforces that any Virtual Service host does not contain a wildcard
+      character and allows for more governance when a single mesh deployment
+      model is used.
+spec:
+  validationFailureAction: "enforce"
+  background: true
+  rules:
+    - name: "block-virtual-service-wildcard"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "VirtualService"
+      validate:
+        message: "Only VirtualService objects for the correct domain are allowed."
+        foreach:
+          - list: "request.object.spec.hosts"
+            deny:
+              conditions:
+                any:
+                  - key: "{{element}}"
+                    operator: NotEquals
+                    value: "*.ez.soeren.cloud"
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml
index 6a5f9391..c668a581 100644
--- a/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml
+++ b/apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml
@@ -19,7 +19,7 @@ metadata:
       character and allows for more governance when a single mesh deployment
       model is used.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: block-virtual-service-wildcard
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml
index b4c5905a..81162124 100644
--- a/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml
+++ b/apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml
@@ -15,7 +15,7 @@ metadata:
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: check-for-labels
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml
index 83c518de..9f52cd58 100644
--- a/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml
+++ b/apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml
@@ -17,7 +17,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: validate-resources
diff --git a/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml b/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml
index cc892422..6da191ce 100644
--- a/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml
+++ b/apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml
@@ -16,7 +16,7 @@ metadata:
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: "enforce"
   background: true
   rules:
     - name: validate-readOnlyRootFilesystem
diff --git a/apps/kyverno/components/default-clusterpolicies/kustomization.yaml b/apps/kyverno/components/default-clusterpolicies/kustomization.yaml
index e9f7cfb4..31953c41 100644
--- a/apps/kyverno/components/default-clusterpolicies/kustomization.yaml
+++ b/apps/kyverno/components/default-clusterpolicies/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
+  - cp-istio-virtualservice-correct-domain.yaml
   - cp-istio-virtualservice-nowildcards.yaml
   - cp-require-labels.yaml
   - cp-require-pod-requests-limits.yaml
diff --git a/apps/kyverno/helm-fan-out.sh b/apps/kyverno/helm-fan-out.sh
deleted file mode 100755
index c98224d9..00000000
--- a/apps/kyverno/helm-fan-out.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/env bash
-# Based on https://github.com/helm/helm/issues/4680#issuecomment-613201032
-#
-# helm-fan-out
-
-if [ -z "$1" ]; then
-    echo "Please provide an output directory"
-    exit 1
-fi
-
-awk -vout="$1" -F": " '
-  $0~/^# Source: / {
-    file=out"/"$2;
-    if (!(file in filemap)) {
-      filemap[file] = 1
-      print "Creating "file;
-      system ("mkdir -p $(dirname "file")");
-      print "---" >> file;
-    }
-  }
-  $0!~/^# Source: / {
-    if ($0!~/^---$/) {
-      if (file) {
-        print $0 >> file;
-      }
-    }
-  }'
diff --git a/apps/kyverno/kustomization.yaml b/apps/kyverno/kustomization.yaml
index 0129cb3f..59338f4b 100644
--- a/apps/kyverno/kustomization.yaml
+++ b/apps/kyverno/kustomization.yaml
@@ -1,3 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+resources:
+  - repo.yaml
+  - release.yaml
diff --git a/apps/kyverno/release.yaml b/apps/kyverno/release.yaml
new file mode 100644
index 00000000..641cc2d7
--- /dev/null
+++ b/apps/kyverno/release.yaml
@@ -0,0 +1,17 @@
+apiVersion: "helm.toolkit.fluxcd.io/v2"
+kind: "HelmRelease"
+metadata:
+  name: "kyverno"
+spec:
+  releaseName: "kyverno"
+  chart:
+    spec:
+      chart: "kyverno"
+      version: "2.6.0"
+      sourceRef:
+        kind: "HelmRepository"
+        name: "kyverno"
+  interval: "1h"
+  install:
+    remediation:
+      retries: 3
diff --git a/apps/kyverno/repo.yaml b/apps/kyverno/repo.yaml
new file mode 100644
index 00000000..669d20b6
--- /dev/null
+++ b/apps/kyverno/repo.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: kyverno
+spec:
+  interval: 1h
+  url: "https://kyverno.github.io/kyverno/"
diff --git a/clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml b/clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml
new file mode 100644
index 00000000..0781c2b8
--- /dev/null
+++ b/clusters/svc.pt.soeren.cloud/kyverno/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "kyverno"
+resources:
+  - "namespace.yaml"
+  - "../../../apps/kyverno"
+components:
+  - "../../../apps/kyverno/components/default-clusterpolicies"
+patches:
+  - target:
+      kind: ClusterPolicy
+      name: restrict-virtual-service-domain
+    patch: |
+      - op: replace
+        path: /spec/rules/0/validate/foreach/0/deny/conditions/any/0/value
+        value: "*.pt.soeren.cloud"
diff --git a/clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml b/clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml
new file mode 100644
index 00000000..91a0ce81
--- /dev/null
+++ b/clusters/svc.pt.soeren.cloud/kyverno/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: "Namespace"
+apiVersion: "v1"
+metadata:
+  name: "kyverno"
+  labels:
+    name: "kyverno"