Michal.Wrobel/stacks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kyverno: add initial implementation

Browse source 
Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
This commit is contained in:
Boris 'B' Kurktchiev 2024-09-23 14:45:51 -04:00
parent 148f518526
commit 95eea40b64
No known key found for this signature in database
9 changed files with 295 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
kyverno-integration/README.md Normal file
View file

@ -0,0 +1,19 @@
# Kyverno Stack
Implementation of Kyverno for CNOE
## Components
The Stack installs `Kyverno` and `Kyverno Pod Security Policies - Restricted` implementation. By default users should use:
- `kyverno-pss-policies-audit.yaml` - for testing and understanding of the impact
- `kyverno-pss-policies-enforce.yaml` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
- If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
- [ArgoCD](exceptions/argocd.yaml)
- [Crossplane](exceptions/crossplane.yaml)
- [Backstage](exceptions/backstage.yaml)
- [Ingress-Nginx](exceptions/ingress-nginx.yaml)
- [Kind cluster](exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
## Installation

35
kyverno-integration/exceptions/argocd.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: argocd-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- argocd
names:
# TODO: this should be more targeted than blanket *
- argocd-*

35
kyverno-integration/exceptions/backstage.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: backstage-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- backstage
names:
# TODO: this should be more targeted than blanket *
- backstage*

37
kyverno-integration/exceptions/crossplane.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: crossplane-system-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- crossplane-system
names:
# TODO: this should be more targeted than blanket *
- crossplane*
- ess-plugin-*
- upbound-provider-*

22
kyverno-integration/exceptions/ingress-nginx.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: ingress-nginx-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-host-ports
ruleNames:
- host-ports-none
- autogen-host-ports-none
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
namespaces:
- ingress-nginx
names:
- ingress-nginx*

66
kyverno-integration/exceptions/kind.yaml Normal file
View file

@ -0,0 +1,66 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: system-cnoe-operation
namespace: kyverno
spec:
exceptions:
- policyName: disallow-host-path
ruleNames:
- host-path
- autogen-host-path
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
- autogen-privilege-escalation
- policyName: disallow-privileged-containers
ruleNames:
- privileged-containers
- autogen-privileged-containers
- policyName: disallow-capabilities-strict
ruleNames:
- require-drop-all
- autogen-require-drop-all
- adding-capabilities-strict
- autogen-adding-capabilities-strict
- adding-capabilities
- autogen-adding-capabilities
- policyName: disallow-capabilities
ruleNames:
- adding-capabilities
- autogen-adding-capabilities
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
- policyName: restrict-volume-types
ruleNames:
- restricted-volumes
- autogen-restricted-volumes
- policyName: disallow-host-namespaces
ruleNames:
- host-namespaces
- autogen-host-namespaces
match:
any:
- resources:
kinds:
- Pod
- Deployment
- ReplicaSet
- StatefulSet
- DaemonSet
namespaces:
- kube-system
- local-path-storage
names:
# TODO: this should be more targeted than blanket *
- kube-*
- kindnet*
- local-path*
- coredns*
- etcd-*

24
kyverno-integration/kyverno-pss-policies-audit.yaml Normal file
View file

@ -0,0 +1,24 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno-pss-policies-audit
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/nirmata/kyverno-policies
targetRevision: HEAD
path: pod-security/restricted
destination:
server: "https://kubernetes.default.svc"
syncPolicy:
syncOptions:
- Replace=true
automated:
selfHeal: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s

24
kyverno-integration/kyverno-pss-policies-enforce.yaml Normal file
View file

@ -0,0 +1,24 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno-pss-policies-enforce
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/nirmata/kyverno-policies
targetRevision: HEAD
path: pod-security/enforce
destination:
server: "https://kubernetes.default.svc"
syncPolicy:
syncOptions:
- Replace=true
automated:
selfHeal: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s

33
kyverno-integration/kyverno.yaml Normal file
View file

@ -0,0 +1,33 @@
kind: Application
apiVersion: argoproj.io/v1alpha1
metadata:
name: kyverno
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno/
targetRevision: 3.2.6
helm:
releaseName: kyverno
valuesObject:
kyverno.fullname: kyverno
destination:
server: "https://kubernetes.default.svc"
namespace: kyverno
syncPolicy:
syncOptions:
- Replace=true
- CreateNamespace=true
automated:
selfHeal: true
prune: true
retry:
limit: 30
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s