From 25eff374e36c1401412d64ca76b926be83443d62 Mon Sep 17 00:00:00 2001
From: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
Date: Mon, 23 Sep 2024 16:40:38 -0400
Subject: [PATCH] kyverno: rework how the Apps work so user can better choose
 to use Audit or Enforce mode

Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
---
 kyverno-integration/README.md                 | 26 +++-----
 .../kyverno-pss-policies-enforce.yaml         | 24 --------
 .../audit}/kyverno-pss-policies-audit.yaml    |  0
 .../enforce}/exceptions/argocd.yaml           |  0
 .../enforce}/exceptions/backstage.yaml        |  0
 .../enforce}/exceptions/crossplane.yaml       |  0
 .../enforce}/exceptions/ingress-nginx.yaml    |  0
 .../enforce}/exceptions/kind.yaml             |  0
 .../enforce/kyverno-pss-policies-enforce.yaml | 61 +++++++++++++++++++
 9 files changed, 71 insertions(+), 40 deletions(-)
 delete mode 100644 kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml
 rename kyverno-integration/{manifests => modules/audit}/kyverno-pss-policies-audit.yaml (100%)
 rename kyverno-integration/{manifests => modules/enforce}/exceptions/argocd.yaml (100%)
 rename kyverno-integration/{manifests => modules/enforce}/exceptions/backstage.yaml (100%)
 rename kyverno-integration/{manifests => modules/enforce}/exceptions/crossplane.yaml (100%)
 rename kyverno-integration/{manifests => modules/enforce}/exceptions/ingress-nginx.yaml (100%)
 rename kyverno-integration/{manifests => modules/enforce}/exceptions/kind.yaml (100%)
 create mode 100644 kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml

diff --git a/kyverno-integration/README.md b/kyverno-integration/README.md
index 43ae1c3..a74344e 100644
--- a/kyverno-integration/README.md
+++ b/kyverno-integration/README.md
@@ -8,11 +8,11 @@ The Stack installs `Kyverno` and `Kyverno Pod Security Policies - Restricted` im
   - `kyverno-pss-policies-audit.yaml` - for testing and understanding of the impact
   - `kyverno-pss-policies-enforce.yaml` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
     - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
-      - [ArgoCD](exceptions/argocd.yaml)
-      - [Crossplane](exceptions/crossplane.yaml)
-      - [Backstage](exceptions/backstage.yaml)
-      - [Ingress-Nginx](exceptions/ingress-nginx.yaml)
-      - [Kind cluster](exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
+      - [ArgoCD](modules/enforce/exceptions/argocd.yaml)
+      - [Crossplane](modules/enforce/exceptions/crossplane.yaml)
+      - [Backstage](modules/enforce/exceptions/backstage.yaml)
+      - [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml)
+      - [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
 
 *NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
 
@@ -26,27 +26,21 @@ idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//kyverno-integration
 ```
 
-Depending on your use case, install the Kubernetes PSS Policies, implemented in Kyverno as follows:
+Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows:
 
 ```bash
-git clone https://github.com/cnoe-io/stacks.git
-cd stacks
-
 idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//ref-implementation
   -p https://github.com/cnoe-io/stacks//kyverno-integration
-  -p kyverno-integration/manifests/kyverno-pss-policies-audit.yaml
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit
 ```
 
-If you would like to change to `Enforce` mode, replace with `-p kyverno-integration/manifests/kyverno-pss-policies-audit.yaml` and add the provided exceptions to the installation.
+If you would like to change to `Enforce` mode:
 
 ```bash
-git clone https://github.com/cnoe-io/stacks.git
-cd stacks
-
 idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//ref-implementation
   -p https://github.com/cnoe-io/stacks//kyverno-integration
-  -p kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml
-  -p kyverno-integration/manifests/exceptions
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce
 ```
+
diff --git a/kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml b/kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml
deleted file mode 100644
index e0fe7bb..0000000
--- a/kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-kind: Application
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: kyverno-pss-policies-enforce
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://github.com/nirmata/kyverno-policies
-    targetRevision: HEAD
-    path: pod-security/enforce
-  destination:
-    server: "https://kubernetes.default.svc"
-  syncPolicy:
-    syncOptions:
-    - Replace=true
-    automated:
-      selfHeal: true
-    retry:
-      limit: 30
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m0s
diff --git a/kyverno-integration/manifests/kyverno-pss-policies-audit.yaml b/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
similarity index 100%
rename from kyverno-integration/manifests/kyverno-pss-policies-audit.yaml
rename to kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
diff --git a/kyverno-integration/manifests/exceptions/argocd.yaml b/kyverno-integration/modules/enforce/exceptions/argocd.yaml
similarity index 100%
rename from kyverno-integration/manifests/exceptions/argocd.yaml
rename to kyverno-integration/modules/enforce/exceptions/argocd.yaml
diff --git a/kyverno-integration/manifests/exceptions/backstage.yaml b/kyverno-integration/modules/enforce/exceptions/backstage.yaml
similarity index 100%
rename from kyverno-integration/manifests/exceptions/backstage.yaml
rename to kyverno-integration/modules/enforce/exceptions/backstage.yaml
diff --git a/kyverno-integration/manifests/exceptions/crossplane.yaml b/kyverno-integration/modules/enforce/exceptions/crossplane.yaml
similarity index 100%
rename from kyverno-integration/manifests/exceptions/crossplane.yaml
rename to kyverno-integration/modules/enforce/exceptions/crossplane.yaml
diff --git a/kyverno-integration/manifests/exceptions/ingress-nginx.yaml b/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml
similarity index 100%
rename from kyverno-integration/manifests/exceptions/ingress-nginx.yaml
rename to kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml
diff --git a/kyverno-integration/manifests/exceptions/kind.yaml b/kyverno-integration/modules/enforce/exceptions/kind.yaml
similarity index 100%
rename from kyverno-integration/manifests/exceptions/kind.yaml
rename to kyverno-integration/modules/enforce/exceptions/kind.yaml
diff --git a/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml
new file mode 100644
index 0000000..5a0f058
--- /dev/null
+++ b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml
@@ -0,0 +1,61 @@
+---
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: 3.2.5
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Enforce
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+---
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce-exceptions
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: cnoe://exceptions
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s