fix: move policies here and there

2025-06-20 14:47:26 +02:00
parent d5b860cf31
commit df7829dfbd
7 changed files with 26 additions and 119 deletions
@@ -1,20 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: add-ingress-whitelist
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: set-whitelist-internal
-    mutate:
-      patchStrategicMerge:
-        metadata:
-          annotations:
-            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-    match:
-      resources:
-        kinds:
-        - Ingress
-        annotations:
-          atlantis.oceanbox.io/expose: internal
@@ -1,31 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: remove-argocd-tracking-id
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: remove-argocd-tracking-ids
-    mutate:
-      patchesJson6902: |-
-        - path: /metadata/annotations/argocd.argoproj.io~1tracking-id
-          op: remove
-    match:
-      any:
-       - resources:
-           kinds:
-           - Secret
-           names:
-           - prod-rabbitmq
-           - staging-rabbitmq
-           - prod-redis
-           - staging-redis
-    exclude:
-      any:
-       - resources:
-           kinds:
-           - Namespace
-           names:
-           - rabbitmq
-           - redis
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-gitlab-secret
+  annotations:
+    policies.kyverno.io/title: Sync Secrets
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: gitlab-pull-secret
@@ -1,42 +1,34 @@
+{{- if .Values.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
+  name: sync-regcred-secret
  annotations:
+    policies.kyverno.io/title: Sync Secrets
    policies.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Secrets like registry credentials often need
-      to exist in multiple Namespaces so Pods there have access. Manually duplicating
-      those Secrets is time consuming and error prone. This policy will copy a Secret
-      called `regcred` which exists in the `default` Namespace to new Namespaces when
-      they are created. It will also push updates to the copied Secrets should the
-      source Secret be changed.            '
-  creationTimestamp: "2024-01-15T11:58:24Z"
-  name: sync-regcred
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.            
 spec:
-  admission: true
-  background: true
-  generateExisting: true
  rules:
-  - generate:
-      apiVersion: v1
-      clone:
-        # name: oceanbox-regcred
-        name: gitlab-pull-secret
-        namespace: default
-      kind: Secret
-      # name: oceanbox-regcred
-      name: gitlab-pull-secret
-      namespace: '{{`{{request.object.metadata.name}}`}}'
-      synchronize: true
-    exclude:
-      any:
-      - resources:
-          annotations:
-            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-image-pull-secret
+    skipBackgroundRequests: true
    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-    name: sync-oceanbox-regcred
-
-
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+{{- end }}
@@ -0,0 +1,34 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/title: Sync s3 Secrets
+  name: sync-s3-credentials
+spec:
+  generateExistingOnPolicyUpdate: true
+  background: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: s3-credentials
+        namespace: kube-system
+      kind: Secret
+      name: s3-credentials
+      namespace: '{{`{{request.object.metadata.name}}`}}'
+      synchronize: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - "velero"
+        - "loki"
+        - "tempo"
+    name: sync-s3-secret
+    skipBackgroundRequests: true
+  validationFailureAction: audit
+{{- end }}
@@ -0,0 +1,76 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: whitelist-internal-ingresses
+  annotations:
+    policies.kyverno.io/title: Concatenate Ingresss
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      Ingresses with the label "internal=true" should be whitelisted. 
+      If no whitelist exists, add the default values, otherwise append 
+      whitelist to the already existing ones
+spec:
+  mutateExistingOnPolicyUpdate: false
+  #precondition: has whitelist annotation or 
+  rules:
+  - name: ensure-nginx-whitelist-exists
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
+  - name: append-existing-whitelist
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: NotEquals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            {{- end }}
+  - name: add-nginx-whitelist
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: Equals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            {{- end }}
+{{- end }}
+