From 8989cdb1009df9952c2f240885438eb546e655fe Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Thu, 19 Dec 2024 09:50:33 +0100 Subject: [PATCH] fix: add kyverno policies for dapr api tokens --- .../ekman/kyverno/add-ingress-whitelist.yaml | 20 ++++++++++++++++ .../ekman/kyverno/sync-sorcerer-secrets.yaml | 24 +++++++++++++++++++ .../kyverno/sync-atlantis-secrets.yaml | 24 +++++++++++++++++++ .../clusterpolicy-allow-ekman-egress.yaml | 4 ++++ 4 files changed, 72 insertions(+) create mode 100644 policies/ekman/kyverno/add-ingress-whitelist.yaml diff --git a/policies/ekman/kyverno/add-ingress-whitelist.yaml b/policies/ekman/kyverno/add-ingress-whitelist.yaml new file mode 100644 index 00000000..58c7b529 --- /dev/null +++ b/policies/ekman/kyverno/add-ingress-whitelist.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ingress-whitelist +spec: + background: true + generateExisting: true + rules: + - name: set-whitelist-internal + mutate: + patchStrategicMerge: + metadata: + annotations: + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + match: + resources: + kinds: + - Ingress + annotations: + atlantis.oceanbox.io/expose: internal diff --git a/policies/ekman/kyverno/sync-sorcerer-secrets.yaml b/policies/ekman/kyverno/sync-sorcerer-secrets.yaml index d1e45713..9479b8d9 100644 --- a/policies/ekman/kyverno/sync-sorcerer-secrets.yaml +++ b/policies/ekman/kyverno/sync-sorcerer-secrets.yaml @@ -30,3 +30,27 @@ spec: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport + - name: sync-dapr-api-token + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + name: dapr-api-token + namespace: staging-sorcerer + match: + any: + - resources: + kinds: + - Secret + names: + - dapr-api-token + annotations: + kyverno/clone: "true" + exclude: + any: + - resources: + annotations: + vcluster.loft.sh/controlled-by: secret/v1/GenericImport diff --git a/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml b/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml index daad7fcb..13b1b1d4 100644 --- a/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml +++ b/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml @@ -78,3 +78,27 @@ spec: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport + - name: sync-dapr-api-token + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + name: dapr-api-token + namespace: staging-atlantis + match: + any: + - resources: + kinds: + - Secret + names: + - dapr-api-token + annotations: + kyverno/clone: "true" + exclude: + any: + - resources: + annotations: + vcluster.loft.sh/controlled-by: secret/v1/GenericImport diff --git a/policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml b/policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml index 4ed929e8..27fed9cb 100644 --- a/policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml +++ b/policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml @@ -8,8 +8,12 @@ spec: - toCIDR: - 10.255.241.99/32 - 10.255.241.100/32 + - 185.125.160.88/32 + - 185.125.160.89/32 toPorts: - ports: + - port: "443" + protocol: TCP - port: "4443" protocol: TCP - port: "30443"