Skip to content

Commit 16c79c8

Browse files
soerenschneidersoerenschneider
committed
update kyverno
1 parent 4cb0e32 commit 16c79c8

12 files changed

+97
-31
lines changed

apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-correct-domain.yaml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
apiVersion: kyverno.io/v1
3+
kind: ClusterPolicy
4+
metadata:
5+
name: restrict-virtual-service-domain
6+
annotations:
7+
policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards
8+
policies.kyverno.io/category: Istio
9+
policies.kyverno.io/severity: medium
10+
kyverno.io/kyverno-version: 1.8.4
11+
policies.kyverno.io/minversion: 1.6.0
12+
kyverno.io/kubernetes-version: "1.23"
13+
policies.kyverno.io/subject: VirtualService
14+
policies.kyverno.io/description: >-
15+
Virtual Services optionally accept a wildcard as an alternative
16+
to precise matching. In some cases, this may be too permissive as it
17+
would direct unintended traffic to the given resource. This
18+
policy enforces that any Virtual Service host does not contain a wildcard
19+
character and allows for more governance when a single mesh deployment
20+
model is used.
21+
spec:
22+
validationFailureAction: "enforce"
23+
background: true
24+
rules:
25+
- name: "block-virtual-service-wildcard"
26+
match:
27+
any:
28+
- resources:
29+
kinds:
30+
- "VirtualService"
31+
validate:
32+
message: "Only VirtualService objects for the correct domain are allowed."
33+
foreach:
34+
- list: "request.object.spec.hosts"
35+
deny:
36+
conditions:
37+
any:
38+
- key: "{{element}}"
39+
operator: NotEquals
40+
value: "*.ez.soeren.cloud"

apps/kyverno/components/default-clusterpolicies/cp-istio-virtualservice-nowildcards.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ metadata:
1919
character and allows for more governance when a single mesh deployment
2020
model is used.
2121
spec:
22-
validationFailureAction: Enforce
22+
validationFailureAction: "enforce"
2323
background: true
2424
rules:
2525
- name: block-virtual-service-wildcard

apps/kyverno/components/default-clusterpolicies/cp-require-labels.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ metadata:
1515
all tools can understand. The recommended labels describe applications in a way that can be
1616
queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
1717
spec:
18-
validationFailureAction: Enforce
18+
validationFailureAction: "enforce"
1919
background: true
2020
rules:
2121
- name: check-for-labels

apps/kyverno/components/default-clusterpolicies/cp-require-pod-requests-limits.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ metadata:
1717
This policy validates that all containers have something specified for memory and CPU
1818
requests and memory limits.
1919
spec:
20-
validationFailureAction: Enforce
20+
validationFailureAction: "enforce"
2121
background: true
2222
rules:
2323
- name: validate-resources

apps/kyverno/components/default-clusterpolicies/cp-require-ro-rootfs.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ metadata:
1616
host system. This policy validates that containers define a securityContext
1717
with `readOnlyRootFilesystem: true`.
1818
spec:
19-
validationFailureAction: Enforce
19+
validationFailureAction: "enforce"
2020
background: true
2121
rules:
2222
- name: validate-readOnlyRootFilesystem

apps/kyverno/components/default-clusterpolicies/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
apiVersion: kustomize.config.k8s.io/v1alpha1
33
kind: Component
44
resources:
5+
- cp-istio-virtualservice-correct-domain.yaml
56
- cp-istio-virtualservice-nowildcards.yaml
67
- cp-require-labels.yaml
78
- cp-require-pod-requests-limits.yaml

apps/kyverno/helm-fan-out.sh

Lines changed: 0 additions & 27 deletions
This file was deleted.

apps/kyverno/kustomization.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
11
---
22
apiVersion: kustomize.config.k8s.io/v1beta1
33
kind: Kustomization
4+
resources:
5+
- repo.yaml
6+
- release.yaml

apps/kyverno/release.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
apiVersion: "helm.toolkit.fluxcd.io/v2"
2+
kind: "HelmRelease"
3+
metadata:
4+
name: "kyverno"
5+
spec:
6+
releaseName: "kyverno"
7+
chart:
8+
spec:
9+
chart: "kyverno"
10+
version: "2.6.0"
11+
sourceRef:
12+
kind: "HelmRepository"
13+
name: "kyverno"
14+
interval: "1h"
15+
install:
16+
remediation:
17+
retries: 3

apps/kyverno/repo.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
---
2+
apiVersion: source.toolkit.fluxcd.io/v1
3+
kind: HelmRepository
4+
metadata:
5+
name: kyverno
6+
spec:
7+
interval: 1h
8+
url: "https://kyverno.github.io/kyverno/"

0 commit comments

Comments
 (0)