Skip to content

Add Kyverno policy engine configuration#39

Open
cmyui wants to merge 3 commits intomasterfrom
add-kyverno
Open

Add Kyverno policy engine configuration#39
cmyui wants to merge 3 commits intomasterfrom
add-kyverno

Conversation

@cmyui
Copy link
Member

@cmyui cmyui commented Jan 21, 2026

Summary

  • Add Kyverno policy engine with declarative configuration
  • Include four security/best-practice policies:
    • restrict-image-registries: Block images from unapproved registries (Enforce mode)
    • require-resource-limits: Warn on missing resource limits (Audit mode)
    • disallow-privileged-containers: Block privileged containers (Enforce mode)
    • require-probes: Warn on missing health probes (Audit mode)
  • Configure minimal resource footprint for small clusters (~500MB total)
  • Include README with installation/upgrade/uninstall instructions

Approved Registries

  • osuakatsuki/* - Application images
  • registry.k8s.io/* - Kubernetes system components
  • docker.io/flannel/* - CNI
  • docker.io/grafana/*, ghcr.io/grafana/* - Monitoring
  • quay.io/prometheus/* - Monitoring
  • myoung34/github-runner* - CI runners
  • phpmyadmin/phpmyadmin* - Database admin

Installation

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update kyverno
helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f k8s/kyverno/values.yaml --wait
kubectl apply -f k8s/kyverno/policies/

Test plan

  • Install Kyverno using the provided values
  • Apply policies
  • Verify approved images can be deployed
  • Verify unapproved images are blocked

🤖 Generated with Claude Code

@cmyui cmyui requested a review from infernalfire72 as a code owner January 21, 2026 06:33
@github-actions
Copy link

Terraform Plan Output

Click to expand
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Adds declarative Kyverno setup with four security/best-practice policies:
- restrict-image-registries: Block images from unapproved registries (Enforce)
- require-resource-limits: Block pods without resource limits (Enforce)
- disallow-privileged-containers: Block privileged containers (Enforce)
- require-probes: Block web services without readiness probes (Enforce)

Exclusions for legitimate cases:
- System namespaces (kube-system, kyverno, kube-flannel, grafana)
- CronJob pods (short-lived)
- Background workers (discord bots, pubsub daemons, amqp processors)

Includes Helm values for minimal resource footprint on small clusters.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link

Terraform Plan Output

Click to expand
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Use names-based exclusions instead of preconditions for background
workers. Preconditions don't support glob patterns, but the names
field in exclude does.

Excludes:
- *-discord-bot-*
- *-pubsub-daemon-*
- *-amqp-processor-*
- *-processor-production-*
- *-cleanup-cron-*

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link

Terraform Plan Output

Click to expand
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Remove failurePolicy config that was causing Helm template errors.
Use default blocking behavior when Kyverno is unavailable.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions
Copy link

Terraform Plan Output

Click to expand
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant