Michal.Wrobel/stacks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Stack: Kyverno (#38)

Browse source 
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
This commit is contained in:
Boris 'B' Kurktchiev 2024-10-02 09:40:04 -04:00 committed by GitHub
parent 148f518526
commit 2b12c4d710
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 363 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

46
kyverno-integration/README.md Normal file
View file

@ -0,0 +1,46 @@
# Kyverno Stack
Implementation of Kyverno for CNOE
## Components
The Stack installs `Kyverno` and optionally `Kyverno Pod Security Policies - Restricted` implementation. By default users should use:
- `module/audit` - for testing and understanding of the impact
- `module/enforce` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
- If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
- [ArgoCD](modules/enforce/exceptions/argocd.yaml)
- [Crossplane](modules/enforce/exceptions/crossplane.yaml)
- [Backstage](modules/enforce/exceptions/backstage.yaml)
- [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml)
- [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues for NEW workloads, already existing workloads will not be affected immediately, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
## Installation
You can use and test out this stack without using any policies, using the `ref-implementation` as follows:
```bash
idpbuilder create --use-path-routing \
-p https://github.com/cnoe-io/stacks//ref-implementation \
-p https://github.com/cnoe-io/stacks//kyverno-integration
```
Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows:
```bash
idpbuilder create --use-path-routing \
-p https://github.com/cnoe-io/stacks//ref-implementation \
-p https://github.com/cnoe-io/stacks//kyverno-integration \
-p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit
```
If you would like to change to `Enforce` mode:
```bash
idpbuilder create --use-path-routing \
-p https://github.com/cnoe-io/stacks//ref-implementation \
-p https://github.com/cnoe-io/stacks//kyverno-integration \
-p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce
```

31
kyverno-integration/kyverno.yaml Normal file
View file

@ -0,0 +1,31 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno
namespace: argocd
spec:
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno/
targetRevision: 3.2.7
helm:
releaseName: kyverno
valuesObject:
kyverno.fullname: kyverno
destination:
server: "https://kubernetes.default.svc"
namespace: kyverno
syncPolicy:
syncOptions:
- Replace=true
- CreateNamespace=true
automated:
selfHeal: true
prune: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s

33
kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml Normal file
View file

@ -0,0 +1,33 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno-pss-policies-audit
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/kyverno/kyverno
targetRevision: 3.2.7
path: charts/kyverno-policies
helm:
releaseName: "kyverno-policies"
parameters:
- name: "podSecurityStandard"
value: restricted
- name: "validationFailureAction"
value: Audit
- name: "podSecuritySeverity"
value: High
destination:
server: "https://kubernetes.default.svc"
syncPolicy:
syncOptions:
- Replace=true
automated:
selfHeal: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s

35
kyverno-integration/modules/enforce/exceptions/argocd.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: argocd-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- argocd
names:
# TODO: this should be more targeted than blanket *
- argocd-*

35
kyverno-integration/modules/enforce/exceptions/backstage.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: backstage-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- backstage
names:
# TODO: this should be more targeted than blanket *
- backstage*

36
kyverno-integration/modules/enforce/exceptions/crossplane.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: crossplane-system-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- crossplane-system
names:
# TODO: this should be more targeted than blanket *
- crossplane*
- upbound-provider-*

22
kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: ingress-nginx-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-host-ports
ruleNames:
- host-ports-none
- autogen-host-ports-none
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- ingress-nginx
names:
- ingress-nginx*

66
kyverno-integration/modules/enforce/exceptions/kind.yaml Normal file
View file

@ -0,0 +1,66 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: system-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-host-path
ruleNames:
- host-path
- autogen-host-path
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-privileged-containers
ruleNames:
- privileged-containers
- autogen-privileged-containers
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- adding-capabilities-strict
- autogen-adding-capabilities-strict
- adding-capabilities
- autogen-adding-capabilities
- policyName: disallow-capabilities
ruleNames:
- adding-capabilities
- autogen-adding-capabilities
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
- policyName: restrict-volume-types
ruleNames:
- restricted-volumes
- autogen-restricted-volumes
- policyName: disallow-host-namespaces
ruleNames:
- host-namespaces
- autogen-host-namespaces
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
- StatefulSet
- DaemonSet
namespaces:
- kube-system
- local-path-storage
names:
# TODO: this should be more targeted than blanket *
- kube-*
- kindnet*
- local-path*
- coredns*
- etcd-*

26
kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml Normal file
View file

@ -0,0 +1,26 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno-pss-policies-enforce-exceptions
namespace: argocd
spec:
project: default
source:
repoURL: cnoe://exceptions
targetRevision: HEAD
path: "."
directory:
recurse: true
destination:
server: "https://kubernetes.default.svc"
syncPolicy:
syncOptions:
- Replace=true
automated:
selfHeal: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s

33
kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml Normal file
View file

@ -0,0 +1,33 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno-pss-policies-enforce
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/kyverno/kyverno
targetRevision: HEAD
path: charts/kyverno-policies
helm:
releaseName: "kyverno-policies"
parameters:
- name: "podSecurityStandard"
value: restricted
- name: "validationFailureAction"
value: Enforce
- name: "podSecuritySeverity"
value: High
destination:
server: "https://kubernetes.default.svc"
syncPolicy:
syncOptions:
- Replace=true
automated:
selfHeal: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s