fix: configure network policies outside kyverno if possible (and stuff)

resources/atlantis/manifests/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - allow-atlantis-external-services.yaml
+  - allow-atlantis-services.yaml

resources/atlantis/manifests/prod/kustomization.yaml

@@ -3,4 +3,4 @@ kind: Kustomization
 resources:
   - pubsub-rabbitmq.yaml
   - state-redis.yaml
-  - dapr-tracing.yaml
+  - ../base/

resources/atlantis/manifests/staging/kustomization.yaml

@@ -3,4 +3,4 @@ kind: Kustomization
 resources:
   - pubsub-rabbitmq.yaml
   - state-redis.yaml
-  - dapr-tracing.yaml
+  - ../base/

resources/oceanbox-cluster/allow-namespace-traffic.yaml

@@ -1,15 +0,0 @@
-apiVersion: "cilium.io/v2"
-kind: CiliumNetworkPolicy
-metadata:
-  name: "allow-namespace-traffic"
-specs:
-  - endpointSelector:
-      matchLabels: {}
-    egress:
-    - toEndpoints:
-      - matchLabels:
-          "k8s:io.kubernetes.pod.namespace": argocd
-    ingress:
-    - fromEndpoints:
-      - matchLabels:
-          "k8s:io.kubernetes.pod.namespace": argocd

resources/oceanbox-cluster/kyverno-policies/allow-namespace-traffic.yaml

@@ -0,0 +1,63 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: allow-namespace-traffic
+  annotations:
+    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
+    policies.kyverno.io/subject: Namespace, NetworkPolicy
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      Allow all ingress/egress traffic within a namespace.
+      Allow egress to any pods in the cluster
+      Allow DNS with layer 7 inspection
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: allow-namespace-traffic
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      synchronize: true
+      apiVersion: cilium.io/v2
+      kind: CiliumNetworkPolicy
+      name: allow-namespace-traffic
+      namespace: "{{request.object.metadata.name}}"
+      data:
+        metadata:
+          labels:
+            created-by: kyverno
+        spec:
+          endpointSelector: {}
+          description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster"
+          ingress:
+            - fromEndpoints:
+                - {}
+            - fromEndpoints:
+              - matchExpressions:
+                - key: io.kubernetes.pod.namespace
+                  operator: Exists
+          egress:
+            - toEndpoints:
+              - matchExpressions:
+                - key: io.kubernetes.pod.namespace
+                  operator: Exists
+              #authentication:
+              #  mode: "required"
+            - toEndpoints:
+                - matchLabels:
+                    io.kubernetes.pod.namespace: kube-system
+                    k8s-app: kube-dns
+              toPorts:
+                - ports:
+                    - port: "53"
+                      protocol: UDP
+                  rules:
+                    dns:
+                      - matchPattern: "*"
+              #authentication:
+              #  mode: "required"

resources/oceanbox-cluster/kyverno-policies/sync-oceanbox-regcred.yaml

@@ -14,6 +14,7 @@ metadata:
 spec:
   admission: true
   background: true
+  generateExisting: true
   rules:
   - generate:
       apiVersion: v1
@@ -26,11 +27,18 @@ spec:
       name: gitlab-pull-secret
       namespace: '{{request.object.metadata.name}}'
       synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
     match:
-      resources:
-        kinds:
-        - Namespace
-    name: sync-image-pull-secret
-    # skipBackgroundRequests: true
-  # validationFailureAction: audit
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
 

resources/oceanbox-cluster/vcluster-rabc.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vcluster-create-cilium-networkpolicies
+rules:
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vcluster-jaegers
+rules:
+- apiGroups:
+  - jaegertracing.io
+  resources:
+  - jaegers
+  verbs:
+  - '*'