From 80e1e75061584c184595e785ff649b61091f3bd5 Mon Sep 17 00:00:00 2001 From: Ashok Siyani Date: Mon, 18 Nov 2024 14:38:13 +0000 Subject: [PATCH] add inject-vault-credentials-agent-aws-gcp-key rule --- kyverno/policies/pods/injectSidecar.yaml | 119 +++++++++++++++++++++++ 1 file changed, 119 insertions(+) diff --git a/kyverno/policies/pods/injectSidecar.yaml b/kyverno/policies/pods/injectSidecar.yaml index f0e4b82b..fd06e3d4 100644 --- a/kyverno/policies/pods/injectSidecar.yaml +++ b/kyverno/policies/pods/injectSidecar.yaml @@ -460,6 +460,125 @@ spec: - name: vault-tls configMap: name: vault-tls + - name: inject-vault-credentials-agent-aws-gcp-key + context: + - name: POD_NAMESPACE + variable: + jmesPath: request.object.metadata.namespace + - name: POD_SERVICE_ACCOUNT + variable: + jmesPath: request.object.spec.serviceAccountName + match: + any: + - resources: + annotations: + uw.systems/kyverno-inject-sidecar-request: "vault-sidecar-aws-gcp-key" + kinds: + - Pod + operations: + - CREATE + mutate: + patchStrategicMerge: + metadata: + annotations: + uw.systems/kyverno-inject-sidecar-status: "injected" + spec: + initContainers: + - name: vault-credentials-agent-aws + image: quay.io/utilitywarehouse/vault-kube-cloud-credentials:v0.9.1 + restartPolicy: Always + startupProbe: + exec: + command: + - /bin/sh + - -c + - | + while ! nc -w 1 127.0.0.1 8098; do sleep 1; done + args: + - sidecar + - -vault-role={{ VKAC_ENVIRONMENT }}_aws_{{ POD_NAMESPACE }}_{{ POD_SERVICE_ACCOUNT }} + env: + - name: VAULT_CACERT + value: "/etc/tls/ca.crt" + - name: VAULT_ADDR + value: "https://vault.sys-vault:8200" + ports: + - name: metrics + containerPort: 8099 + protocol: TCP + resources: + requests: + cpu: 0m + memory: 25Mi + limits: + cpu: 1000m + memory: 100Mi + volumeMounts: + - name: vault-tls + mountPath: /etc/tls + - name: vault-credentials-agent-gcp + image: quay.io/utilitywarehouse/vault-kube-cloud-credentials:v0.9.1 + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -e + - /gcp/sa.json + failureThreshold: 5 + periodSeconds: 15 + args: + - sidecar + - -vault-static-account={{ VKAC_ENVIRONMENT }}_gcp_{{ POD_NAMESPACE }}_{{ POD_SERVICE_ACCOUNT }} + - -secret-type=service_account_key + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/gcp/sa.json" + - name: VAULT_CACERT + value: "/etc/tls/ca.crt" + - name: VAULT_ADDR + value: "https://vault.sys-vault:8200" + ports: + - name: metrics + containerPort: 8099 + protocol: TCP + resources: + requests: + cpu: 0m + memory: 25Mi + limits: + cpu: 1000m + memory: 100Mi + volumeMounts: + - name: gcp + mountPath: /gcp + - name: vault-tls + mountPath: /etc/tls + - (name): "*" + env: + - name: AWS_CONTAINER_CREDENTIALS_FULL_URI + value: "http://127.0.0.1:8098/credentials" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/gcp/sa.json" + volumeMounts: + - name: gcp + mountPath: /gcp + containers: + - (name): "*" + env: + - name: AWS_CONTAINER_CREDENTIALS_FULL_URI + value: "http://127.0.0.1:8098/credentials" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: "/gcp/sa.json" + volumeMounts: + - name: gcp + mountPath: /gcp + volumes: + - name: gcp + emptyDir: {} + - name: vault-tls + configMap: + name: vault-tls - name: inject-vault-init-container-aws context: - name: POD_NAMESPACE