Add Kyverno policy engine configuration

cmyui · claude · cmyui · commit fc21030587bb · 2026-01-21T01:38:18.000-05:00
Adds declarative Kyverno setup with four security/best-practice policies:
- restrict-image-registries: Block images from unapproved registries (Enforce)
- require-resource-limits: Block pods without resource limits (Enforce)
- disallow-privileged-containers: Block privileged containers (Enforce)
- require-probes: Block web services without readiness probes (Enforce)

Exclusions for legitimate cases:
- System namespaces (kube-system, kyverno, kube-flannel, grafana)
- CronJob pods (short-lived)
- Background workers (discord bots, pubsub daemons, amqp processors)

Includes Helm values for minimal resource footprint on small clusters.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/k8s/kyverno/README.md b/k8s/kyverno/README.md
@@ -0,0 +1,69 @@
+# Kyverno
+
+Policy engine for Kubernetes that validates, mutates, and generates resources.
+
+## Installation
+
+```bash
+# Add Helm repo
+helm repo add kyverno https://kyverno.github.io/kyverno/
+helm repo update kyverno
+
+# Install Kyverno
+helm install kyverno kyverno/kyverno \
+  -n kyverno \
+  --create-namespace \
+  -f values.yaml \
+  --wait
+
+# Apply policies
+kubectl apply -f policies/
+```
+
+## Upgrade
+
+```bash
+helm repo update kyverno
+helm upgrade kyverno kyverno/kyverno \
+  -n kyverno \
+  -f values.yaml \
+  --wait
+```
+
+## Uninstall
+
+```bash
+kubectl delete -f policies/
+helm uninstall kyverno -n kyverno
+kubectl delete ns kyverno
+```
+
+## Policies
+
+| Policy | Mode | Description |
+|--------|------|-------------|
+| `restrict-image-registries` | Enforce | Only allow images from approved registries |
+| `require-resource-limits` | Enforce | Block pods without resource limits |
+| `disallow-privileged-containers` | Enforce | Block privileged containers |
+| `require-probes` | Enforce | Block web services without readiness probes |
+
+### Exclusions
+
+The following are excluded from resource limits and probe requirements:
+- System namespaces: `kube-system`, `kyverno`, `kube-flannel`, `grafana`
+- CronJob pods (identified by `job-name` label)
+- GitHub runner namespace
+- Background workers: `*-discord-bot-*`, `*-pubsub-daemon-*`, `*-amqp-processor-*`, `*-processor-production-*`
+
+## Checking Policy Violations
+
+```bash
+# View policy reports
+kubectl get policyreport -A
+
+# View cluster-wide policy reports
+kubectl get clusterpolicyreport
+
+# Describe a specific report for details
+kubectl describe policyreport -n default
+```
diff --git a/k8s/kyverno/policies/disallow-privileged-containers.yaml b/k8s/kyverno/policies/disallow-privileged-containers.yaml
@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-privileged-containers
+  annotations:
+    policies.kyverno.io/title: Disallow Privileged Containers
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: >-
+      Privileged containers have full access to the host and should
+      be blocked except for specific system workloads.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: disallow-privileged
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - kube-flannel
+          - resources:
+              namespaces:
+                - github-runner
+              names:
+                - "github-runner-*"
+      validate:
+        message: "Privileged containers are not allowed."
+        pattern:
+          spec:
+            containers:
+              - =(securityContext):
+                  =(privileged): false
+            =(initContainers):
+              - =(securityContext):
+                  =(privileged): false
diff --git a/k8s/kyverno/policies/require-probes.yaml b/k8s/kyverno/policies/require-probes.yaml
@@ -0,0 +1,52 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-probes
+  annotations:
+    policies.kyverno.io/title: Require Probes
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Containers should have readiness and liveness probes defined
+      to ensure proper health checking and traffic management.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-probes
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - kyverno
+                - kube-flannel
+                - github-runner
+                - grafana
+          # Exclude CronJob pods (they run to completion)
+          - resources:
+              selector:
+                matchExpressions:
+                  - key: job-name
+                    operator: Exists
+      preconditions:
+        all:
+          # Only require probes for services (pods with app label ending in -api or -production that are NOT background workers)
+          - key: "{{ request.object.metadata.name }}"
+            operator: AnyNotIn
+            value:
+              - "*-discord-bot-*"
+              - "*-pubsub-daemon-*"
+              - "*-amqp-processor-*"
+              - "*-processor-production-*"
+      validate:
+        message: "Web service containers must have readinessProbe defined."
+        pattern:
+          spec:
+            containers:
+              - readinessProbe:
+                  periodSeconds: ">0"
diff --git a/k8s/kyverno/policies/require-resource-limits.yaml b/k8s/kyverno/policies/require-resource-limits.yaml
@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-resource-limits
+  annotations:
+    policies.kyverno.io/title: Require Resource Limits
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Containers should have resource limits defined to prevent
+      resource exhaustion and ensure fair scheduling.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-resource-limits
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - kyverno
+                - kube-flannel
+                - grafana
+          # Exclude CronJob pods (short-lived, run to completion)
+          - resources:
+              selector:
+                matchExpressions:
+                  - key: job-name
+                    operator: Exists
+      validate:
+        message: "Containers must have memory and CPU limits defined."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                    cpu: "?*"
diff --git a/k8s/kyverno/policies/restrict-image-registries.yaml b/k8s/kyverno/policies/restrict-image-registries.yaml
@@ -0,0 +1,88 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-image-registries
+  annotations:
+    policies.kyverno.io/title: Restrict Image Registries
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: >-
+      Only allow container images from approved registries to ensure
+      supply chain security and prevent pulling from untrusted sources.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-registries
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Image '{{ request.object.spec.containers[].image }}' is not from an approved registry.
+          Allowed registries: osuakatsuki/*, registry.k8s.io/*, docker.io/flannel/*,
+          docker.io/grafana/*, ghcr.io/grafana/*, quay.io/prometheus/*,
+          myoung34/github-runner*, phpmyadmin/phpmyadmin*
+        foreach:
+          - list: "request.object.spec.containers"
+            deny:
+              conditions:
+                all:
+                  - key: "{{ element.image }}"
+                    operator: NotEquals
+                    value: ""
+                  - key: "{{ element.image }}"
+                    operator: AnyNotIn
+                    value:
+                      - "osuakatsuki/*"
+                      - "docker.io/osuakatsuki/*"
+                      - "registry.k8s.io/*"
+                      - "docker.io/flannel/*"
+                      - "flannel/*"
+                      - "docker.io/grafana/*"
+                      - "grafana/*"
+                      - "ghcr.io/grafana/*"
+                      - "quay.io/prometheus/*"
+                      - "myoung34/github-runner*"
+                      - "docker.io/myoung34/github-runner*"
+                      - "phpmyadmin/phpmyadmin*"
+                      - "docker.io/phpmyadmin/phpmyadmin*"
+    - name: validate-init-container-registries
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.initContainers || `[]` | length(@) }}"
+            operator: GreaterThan
+            value: 0
+      validate:
+        message: >-
+          Init container image is not from an approved registry.
+        foreach:
+          - list: "request.object.spec.initContainers"
+            deny:
+              conditions:
+                all:
+                  - key: "{{ element.image }}"
+                    operator: NotEquals
+                    value: ""
+                  - key: "{{ element.image }}"
+                    operator: AnyNotIn
+                    value:
+                      - "osuakatsuki/*"
+                      - "docker.io/osuakatsuki/*"
+                      - "registry.k8s.io/*"
+                      - "docker.io/flannel/*"
+                      - "flannel/*"
+                      - "docker.io/grafana/*"
+                      - "grafana/*"
+                      - "ghcr.io/grafana/*"
+                      - "quay.io/prometheus/*"
+                      - "myoung34/github-runner*"
+                      - "docker.io/myoung34/github-runner*"
+                      - "phpmyadmin/phpmyadmin*"
+                      - "docker.io/phpmyadmin/phpmyadmin*"
diff --git a/k8s/kyverno/values.yaml b/k8s/kyverno/values.yaml
@@ -0,0 +1,43 @@
+# Kyverno Helm values
+# Minimal resource configuration for small clusters
+
+admissionController:
+  replicas: 1
+  resources:
+    limits:
+      memory: 384Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+backgroundController:
+  replicas: 1
+  resources:
+    limits:
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
+
+cleanupController:
+  replicas: 1
+  resources:
+    limits:
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
+
+reportsController:
+  replicas: 1
+  resources:
+    limits:
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
+
+# Fail open if Kyverno is unavailable (prevents blocking deployments)
+config:
+  webhooks:
+    - failurePolicy: Ignore
