diff --git a/resources/atlantis/manifests/allow-atlantis-external-services.yaml b/resources/atlantis/manifests/base/allow-atlantis-external-services.yaml similarity index 100% rename from resources/atlantis/manifests/allow-atlantis-external-services.yaml rename to resources/atlantis/manifests/base/allow-atlantis-external-services.yaml diff --git a/resources/atlantis/manifests/allow-atlantis-services.yaml b/resources/atlantis/manifests/base/allow-atlantis-services.yaml similarity index 100% rename from resources/atlantis/manifests/allow-atlantis-services.yaml rename to resources/atlantis/manifests/base/allow-atlantis-services.yaml diff --git a/resources/atlantis/manifests/base/kustomization.yaml b/resources/atlantis/manifests/base/kustomization.yaml new file mode 100644 index 00000000..ca68e917 --- /dev/null +++ b/resources/atlantis/manifests/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - allow-atlantis-external-services.yaml + - allow-atlantis-services.yaml diff --git a/resources/atlantis/manifests/prod/kustomization.yaml b/resources/atlantis/manifests/prod/kustomization.yaml index 10f80a16..b79685f8 100644 --- a/resources/atlantis/manifests/prod/kustomization.yaml +++ b/resources/atlantis/manifests/prod/kustomization.yaml @@ -3,4 +3,4 @@ kind: Kustomization resources: - pubsub-rabbitmq.yaml - state-redis.yaml - - dapr-tracing.yaml + - ../base/ diff --git a/resources/atlantis/manifests/staging/kustomization.yaml b/resources/atlantis/manifests/staging/kustomization.yaml index 10f80a16..b79685f8 100644 --- a/resources/atlantis/manifests/staging/kustomization.yaml +++ b/resources/atlantis/manifests/staging/kustomization.yaml @@ -3,4 +3,4 @@ kind: Kustomization resources: - pubsub-rabbitmq.yaml - state-redis.yaml - - dapr-tracing.yaml + - ../base/ diff --git a/resources/oceanbox-cluster/allow-namespace-traffic.yaml b/resources/oceanbox-cluster/allow-namespace-traffic.yaml deleted file mode 100644 index 0e32a3a8..00000000 --- a/resources/oceanbox-cluster/allow-namespace-traffic.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: "allow-namespace-traffic" -specs: - - endpointSelector: - matchLabels: {} - egress: - - toEndpoints: - - matchLabels: - "k8s:io.kubernetes.pod.namespace": argocd - ingress: - - fromEndpoints: - - matchLabels: - "k8s:io.kubernetes.pod.namespace": argocd diff --git a/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml b/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml new file mode 100644 index 00000000..9a058c53 --- /dev/null +++ b/resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allow-namespace-traffic + annotations: + policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces + policies.kyverno.io/subject: Namespace, NetworkPolicy + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Allow all ingress/egress traffic within a namespace. + Allow egress to any pods in the cluster + Allow DNS with layer 7 inspection +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: allow-namespace-traffic + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + name: allow-namespace-traffic + namespace: "{{request.object.metadata.name}}" + data: + metadata: + labels: + created-by: kyverno + spec: + endpointSelector: {} + description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster" + ingress: + - fromEndpoints: + - {} + - fromEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + egress: + - toEndpoints: + - matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + #authentication: + # mode: "required" + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + #authentication: + # mode: "required" diff --git a/resources/oceanbox-cluster/sync-oceanbox-regcred.yaml b/resources/oceanbox-cluster/kyverno-policies/sync-oceanbox-regcred.yaml similarity index 80% rename from resources/oceanbox-cluster/sync-oceanbox-regcred.yaml rename to resources/oceanbox-cluster/kyverno-policies/sync-oceanbox-regcred.yaml index 1bb8b0d0..26a3514a 100644 --- a/resources/oceanbox-cluster/sync-oceanbox-regcred.yaml +++ b/resources/oceanbox-cluster/kyverno-policies/sync-oceanbox-regcred.yaml @@ -14,6 +14,7 @@ metadata: spec: admission: true background: true + generateExisting: true rules: - generate: apiVersion: v1 @@ -26,11 +27,18 @@ spec: name: gitlab-pull-secret namespace: '{{request.object.metadata.name}}' synchronize: true + exclude: + any: + - resources: + kinds: + - Namespace + names: + - "vcluster-*" match: - resources: - kinds: - - Namespace - name: sync-image-pull-secret - # skipBackgroundRequests: true - # validationFailureAction: audit + any: + - resources: + kinds: + - Namespace + name: sync-oceanbox-regcred + diff --git a/resources/oceanbox-cluster/vcluster-rabc.yaml b/resources/oceanbox-cluster/vcluster-rabc.yaml new file mode 100644 index 00000000..849266cc --- /dev/null +++ b/resources/oceanbox-cluster/vcluster-rabc.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vcluster-create-cilium-networkpolicies +rules: +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vcluster-jaegers +rules: +- apiGroups: + - jaegertracing.io + resources: + - jaegers + verbs: + - '*'