Add reusable Kyverno CI workflow and fix CLI command

- Create kyverno-ci.yml reusable workflow for external repos
- Fix kyverno-validate.yml to use 'kyverno apply' (not 'validate')
- Update Kyverno CLI to v1.13.0
- Update ADR-0012 with reusable workflow documentation

Author: jguida941

.github/workflows/kyverno-ci.yml

@@ -0,0 +1,220 @@
+# ============================================================================
+# CI/CD Hub - Kyverno Policy CI (Reusable Workflow)
+# ============================================================================
+# Validates Kyverno policies for syntax and optionally tests them against
+# fixture resources. Use this in your repo to ensure policy quality.
+#
+# Usage in caller workflow:
+#   jobs:
+#     kyverno:
+#       uses: jguida941/ci-cd-hub/.github/workflows/kyverno-ci.yml@v1
+#       with:
+#         policies_dir: 'policies/kyverno'
+#         run_tests: true
+#
+# See also: docs/adr/0012-kyverno-policies.md
+# ============================================================================
+
+name: Kyverno CI
+
+on:
+  workflow_call:
+    inputs:
+      policies_dir:
+        description: 'Directory containing Kyverno policy YAML files'
+        type: string
+        default: 'policies/kyverno'
+      templates_dir:
+        description: 'Directory containing Kyverno policy templates'
+        type: string
+        default: 'templates/kyverno'
+      fixtures_dir:
+        description: 'Directory containing test fixture resources'
+        type: string
+        default: 'fixtures/kyverno'
+      run_tests:
+        description: 'Run policy tests against fixtures'
+        type: boolean
+        default: false
+      kyverno_version:
+        description: 'Kyverno CLI version'
+        type: string
+        default: 'v1.13.0'
+      fail_on_warn:
+        description: 'Fail if policies produce warnings'
+        type: boolean
+        default: false
+      workdir:
+        description: 'Working directory (for monorepos)'
+        type: string
+        default: '.'
+
+jobs:
+  validate:
+    name: Validate Kyverno Policies
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ inputs.workdir }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Kyverno CLI
+        run: |
+          set -euo pipefail
+          VERSION="${{ inputs.kyverno_version }}"
+          VERSION_NUM="${VERSION#v}"
+
+          echo "Installing Kyverno CLI ${VERSION}..."
+          curl -sLO "https://github.com/kyverno/kyverno/releases/download/${VERSION}/kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
+          tar -xzf "kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
+          sudo mv kyverno /usr/local/bin/
+          rm "kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
+          kyverno version
+
+      - name: Validate policy syntax
+        id: validate
+        run: |
+          set -euo pipefail
+          echo "Validating Kyverno policies in ${{ inputs.policies_dir }}..."
+
+          FAILED=0
+          VALIDATED=0
+
+          # Check if policies directory exists
+          if [ ! -d "${{ inputs.policies_dir }}" ]; then
+            echo "::warning::Policies directory '${{ inputs.policies_dir }}' not found"
+            echo "validated=0" >> $GITHUB_OUTPUT
+            echo "failed=0" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Validate all policy files using apply --dry-run with a minimal resource
+          for policy in ${{ inputs.policies_dir }}/*.yaml ${{ inputs.policies_dir }}/*.yml; do
+            if [ -f "$policy" ]; then
+              echo "Validating: $policy"
+              # Use apply with /dev/null as resource to validate policy syntax
+              if kyverno apply "$policy" --resource /dev/null 2>&1 | grep -v "no resource found"; then
+                echo "  OK"
+                VALIDATED=$((VALIDATED + 1))
+              else
+                # Check if it's a real error or just "no resource" message
+                OUTPUT=$(kyverno apply "$policy" --resource /dev/null 2>&1)
+                if echo "$OUTPUT" | grep -qi "error\|invalid\|failed"; then
+                  echo "  FAILED"
+                  echo "$OUTPUT"
+                  FAILED=$((FAILED + 1))
+                else
+                  echo "  OK (syntax valid)"
+                  VALIDATED=$((VALIDATED + 1))
+                fi
+              fi
+            fi
+          done
+
+          # Validate templates if directory exists
+          if [ -d "${{ inputs.templates_dir }}" ]; then
+            for template in ${{ inputs.templates_dir }}/*.yaml ${{ inputs.templates_dir }}/*.yml; do
+              if [ -f "$template" ]; then
+                echo "Validating template: $template"
+                OUTPUT=$(kyverno apply "$template" --resource /dev/null 2>&1 || true)
+                if echo "$OUTPUT" | grep -qi "error\|invalid\|failed"; then
+                  echo "  FAILED"
+                  echo "$OUTPUT"
+                  FAILED=$((FAILED + 1))
+                else
+                  echo "  OK (syntax valid)"
+                  VALIDATED=$((VALIDATED + 1))
+                fi
+              fi
+            done
+          fi
+
+          echo "validated=$VALIDATED" >> $GITHUB_OUTPUT
+          echo "failed=$FAILED" >> $GITHUB_OUTPUT
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo "::error::$FAILED policy validation(s) failed"
+            exit 1
+          fi
+
+          echo "All $VALIDATED policies validated successfully"
+
+      - name: Test policies against fixtures
+        if: inputs.run_tests && inputs.fixtures_dir != ''
+        run: |
+          set -euo pipefail
+          echo "Testing policies against fixtures in ${{ inputs.fixtures_dir }}..."
+
+          if [ ! -d "${{ inputs.fixtures_dir }}" ]; then
+            echo "::warning::Fixtures directory '${{ inputs.fixtures_dir }}' not found, skipping tests"
+            exit 0
+          fi
+
+          # Apply each policy to each fixture
+          for policy in ${{ inputs.policies_dir }}/*.yaml ${{ inputs.policies_dir }}/*.yml; do
+            if [ -f "$policy" ]; then
+              POLICY_NAME=$(basename "$policy" .yaml)
+              echo ""
+              echo "=== Testing policy: $POLICY_NAME ==="
+
+              for fixture in ${{ inputs.fixtures_dir }}/*.yaml ${{ inputs.fixtures_dir }}/*.yml; do
+                if [ -f "$fixture" ]; then
+                  FIXTURE_NAME=$(basename "$fixture")
+                  echo -n "  vs $FIXTURE_NAME: "
+
+                  RESULT=$(kyverno apply "$policy" --resource "$fixture" 2>&1 || true)
+
+                  if echo "$RESULT" | grep -q "pass: 1"; then
+                    echo "PASS"
+                  elif echo "$RESULT" | grep -q "fail: 1"; then
+                    echo "FAIL (policy enforced)"
+                  elif echo "$RESULT" | grep -q "warn: 1"; then
+                    echo "WARN"
+                    if [ "${{ inputs.fail_on_warn }}" = "true" ]; then
+                      echo "::warning::Policy $POLICY_NAME warned on $FIXTURE_NAME"
+                    fi
+                  else
+                    echo "SKIP (not applicable)"
+                  fi
+                fi
+              done
+            fi
+          done
+
+      - name: Generate Summary
+        if: always()
+        run: |
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+          # Kyverno Policy Validation
+
+          | Metric | Value |
+          |--------|-------|
+          | Policies Validated | ${{ steps.validate.outputs.validated || '0' }} |
+          | Validation Failures | ${{ steps.validate.outputs.failed || '0' }} |
+          | Tests Run | ${{ inputs.run_tests }} |
+
+          ## Policies Directory
+          \`${{ inputs.policies_dir }}\`
+
+          EOF
+
+          if [ -d "${{ inputs.policies_dir }}" ]; then
+            echo "| Policy | Status |" >> $GITHUB_STEP_SUMMARY
+            echo "|--------|--------|" >> $GITHUB_STEP_SUMMARY
+            for policy in ${{ inputs.policies_dir }}/*.yaml ${{ inputs.policies_dir }}/*.yml; do
+              if [ -f "$policy" ]; then
+                NAME=$(basename "$policy")
+                echo "| \`$NAME\` | Validated |" >> $GITHUB_STEP_SUMMARY
+              fi
+            done
+          fi
+
+          cat >> $GITHUB_STEP_SUMMARY << 'EOF'
+
+          ---
+
+          See [Kyverno Documentation](https://kyverno.io/docs/) for policy reference.
+          EOF

.github/workflows/kyverno-validate.yml

@@ -1,9 +1,11 @@
 # ============================================================================
-# Kyverno Policy Validation
+# Kyverno Policy Validation (Internal)
 # ============================================================================
-# Validates Kyverno policy syntax without requiring a Kubernetes cluster.
+# Validates Kyverno policy syntax for the hub's own policies.
 # Runs on changes to policy files to catch syntax errors early.
 #
+# For external repos, use the reusable kyverno-ci.yml workflow instead.
+#
 # See also: docs/adr/0012-kyverno-policies.md
 # ============================================================================
 
@@ -13,11 +15,15 @@ on:
   push:
     paths:
       - 'policies/kyverno/**/*.yaml'
+      - 'policies/kyverno/**/*.yml'
       - 'templates/kyverno/**/*.yaml'
+      - 'templates/kyverno/**/*.yml'
   pull_request:
     paths:
       - 'policies/kyverno/**/*.yaml'
+      - 'policies/kyverno/**/*.yml'
       - 'templates/kyverno/**/*.yaml'
+      - 'templates/kyverno/**/*.yml'
   workflow_dispatch:
 
 jobs:
@@ -30,69 +36,93 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install Kyverno CLI
+        env:
+          KYVERNO_VERSION: "v1.13.0"
         run: |
-          # Install Kyverno CLI for policy validation
-          curl -LO https://github.com/kyverno/kyverno/releases/download/v1.11.4/kyverno-cli_v1.11.4_linux_x86_64.tar.gz
-          tar -xzf kyverno-cli_v1.11.4_linux_x86_64.tar.gz
+          set -euo pipefail
+          VERSION_NUM="${KYVERNO_VERSION#v}"
+          echo "Installing Kyverno CLI ${KYVERNO_VERSION}..."
+          curl -sLO "https://github.com/kyverno/kyverno/releases/download/${KYVERNO_VERSION}/kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
+          tar -xzf "kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
           sudo mv kyverno /usr/local/bin/
+          rm "kyverno-cli_${VERSION_NUM}_linux_x86_64.tar.gz"
           kyverno version
 
       - name: Validate Policies
+        id: validate
         run: |
+          set -euo pipefail
           echo "Validating Kyverno policies..."
 
           FAILED=0
+          VALIDATED=0
 
           # Validate all policy files
-          for policy in policies/kyverno/*.yaml; do
+          for policy in policies/kyverno/*.yaml policies/kyverno/*.yml 2>/dev/null; do
             if [ -f "$policy" ]; then
               echo "Validating: $policy"
-              if kyverno validate "$policy" 2>&1; then
-                echo "  OK"
-              else
+              # Use apply with /dev/null - validates policy syntax
+              OUTPUT=$(kyverno apply "$policy" --resource /dev/null 2>&1 || true)
+              if echo "$OUTPUT" | grep -qi "error\|invalid"; then
                 echo "  FAILED"
+                echo "$OUTPUT"
                 FAILED=$((FAILED + 1))
+              else
+                echo "  OK"
+                VALIDATED=$((VALIDATED + 1))
               fi
             fi
           done
 
           # Validate template files if they exist
           if [ -d "templates/kyverno" ]; then
-            for template in templates/kyverno/*.yaml; do
+            for template in templates/kyverno/*.yaml templates/kyverno/*.yml 2>/dev/null; do
               if [ -f "$template" ]; then
                 echo "Validating template: $template"
-                if kyverno validate "$template" 2>&1; then
-                  echo "  OK"
-                else
+                OUTPUT=$(kyverno apply "$template" --resource /dev/null 2>&1 || true)
+                if echo "$OUTPUT" | grep -qi "error\|invalid"; then
                   echo "  FAILED"
+                  echo "$OUTPUT"
                   FAILED=$((FAILED + 1))
+                else
+                  echo "  OK"
+                  VALIDATED=$((VALIDATED + 1))
                 fi
               fi
             done
           fi
 
+          echo "validated=$VALIDATED" >> $GITHUB_OUTPUT
+          echo "failed=$FAILED" >> $GITHUB_OUTPUT
+
           if [ "$FAILED" -gt 0 ]; then
             echo "::error::$FAILED policy validation(s) failed"
             exit 1
           fi
 
-          echo "All policies validated successfully"
+          echo "All $VALIDATED policies validated successfully"
 
       - name: Generate Summary
         if: always()
         run: |
-          cat >> $GITHUB_STEP_SUMMARY << 'EOF'
+          cat >> $GITHUB_STEP_SUMMARY << EOF
           # Kyverno Policy Validation
 
-          | Policy | Purpose | Status |
-          |--------|---------|--------|
+          | Metric | Value |
+          |--------|-------|
+          | Policies Validated | ${{ steps.validate.outputs.validated || '0' }} |
+          | Failures | ${{ steps.validate.outputs.failed || '0' }} |
+
           EOF
 
-          for policy in policies/kyverno/*.yaml; do
+          echo "| Policy | Purpose |" >> $GITHUB_STEP_SUMMARY
+          echo "|--------|---------|" >> $GITHUB_STEP_SUMMARY
+
+          for policy in policies/kyverno/*.yaml policies/kyverno/*.yml 2>/dev/null; do
             if [ -f "$policy" ]; then
               NAME=$(basename "$policy" .yaml)
-              PURPOSE=$(grep -A1 "policies.kyverno.io/title:" "$policy" 2>/dev/null | head -1 | sed 's/.*title:\s*//' || echo "N/A")
-              echo "| \`$NAME\` | $PURPOSE | Validated |" >> $GITHUB_STEP_SUMMARY
+              PURPOSE=$(grep "policies.kyverno.io/title:" "$policy" 2>/dev/null | sed 's/.*title:\s*//' | head -1 || echo "N/A")
+              echo "| \`$NAME\` | $PURPOSE |" >> $GITHUB_STEP_SUMMARY
             fi
           done
 

docs/adr/0012-kyverno-policies.md

@@ -26,10 +26,32 @@ Considerations:
 
 - Include Kyverno policies as an **optional feature** for users deploying to Kubernetes
 - Policies are stored in `policies/kyverno/` with documentation
-- A validation workflow (`kyverno-validate.yml`) validates policy syntax on changes
+- A **reusable workflow** (`kyverno-ci.yml`) allows external repos to validate their policies
+- An internal workflow (`kyverno-validate.yml`) validates the hub's own policy syntax on changes
 - Policies default to `Audit` mode (warning only) for safe adoption; users upgrade to `Enforce` when ready
 - The `block-pull-request-target` policy uses `Enforce` by default as it's a critical security control
 
+### Reusable Workflow Usage
+
+External repos can call the Kyverno CI workflow:
+
+```yaml
+jobs:
+  kyverno:
+    uses: jguida941/ci-cd-hub/.github/workflows/kyverno-ci.yml@v1
+    with:
+      policies_dir: 'policies/kyverno'
+      run_tests: true  # Test against fixtures
+```
+
+Available inputs:
+- `policies_dir`: Directory containing policy YAML files (default: `policies/kyverno`)
+- `templates_dir`: Directory containing policy templates (default: `templates/kyverno`)
+- `fixtures_dir`: Directory containing test resources (default: `fixtures/kyverno`)
+- `run_tests`: Run policies against fixtures (default: `false`)
+- `kyverno_version`: CLI version to use (default: `v1.13.0`)
+- `fail_on_warn`: Fail build on policy warnings (default: `false`)
+
 ## Alternatives Considered
 
 1. **Remove Kyverno entirely:** Rejected - valuable for users with K8s deployments