fix: move policies here and there
This commit is contained in:
@@ -1,34 +0,0 @@
|
|||||||
{{- if .Values.kyverno.enabled }}
|
|
||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: sync-regcred-secret
|
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/title: Sync Secrets
|
|
||||||
policies.kyverno.io/category: Sample
|
|
||||||
policies.kyverno.io/subject: Secret
|
|
||||||
policies.kyverno.io/description: >-
|
|
||||||
Secrets like registry credentials often need to exist in multiple
|
|
||||||
Namespaces so Pods there have access. Manually duplicating those Secrets
|
|
||||||
is time consuming and error prone. This policy will copy a
|
|
||||||
Secret called `regcred` which exists in the `default` Namespace to
|
|
||||||
new Namespaces when they are created. It will also push updates to
|
|
||||||
the copied Secrets should the source Secret be changed.
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: sync-image-pull-secret
|
|
||||||
skipBackgroundRequests: true
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
generate:
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
name: regcred
|
|
||||||
namespace: "{{`{{request.object.metadata.name}}`}}"
|
|
||||||
synchronize: true
|
|
||||||
clone:
|
|
||||||
namespace: default
|
|
||||||
name: regcred
|
|
||||||
{{- end }}
|
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: add-ingress-whitelist
|
|
||||||
spec:
|
|
||||||
background: true
|
|
||||||
generateExisting: true
|
|
||||||
rules:
|
|
||||||
- name: set-whitelist-internal
|
|
||||||
mutate:
|
|
||||||
patchStrategicMerge:
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Ingress
|
|
||||||
annotations:
|
|
||||||
atlantis.oceanbox.io/expose: internal
|
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: remove-argocd-tracking-id
|
|
||||||
spec:
|
|
||||||
background: true
|
|
||||||
generateExisting: true
|
|
||||||
rules:
|
|
||||||
- name: remove-argocd-tracking-ids
|
|
||||||
mutate:
|
|
||||||
patchesJson6902: |-
|
|
||||||
- path: /metadata/annotations/argocd.argoproj.io~1tracking-id
|
|
||||||
op: remove
|
|
||||||
match:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Secret
|
|
||||||
names:
|
|
||||||
- prod-rabbitmq
|
|
||||||
- staging-rabbitmq
|
|
||||||
- prod-redis
|
|
||||||
- staging-redis
|
|
||||||
exclude:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Namespace
|
|
||||||
names:
|
|
||||||
- rabbitmq
|
|
||||||
- redis
|
|
||||||
@@ -1,42 +1,34 @@
|
|||||||
|
{{- if .Values.kyverno.enabled }}
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
metadata:
|
metadata:
|
||||||
|
name: sync-regcred-secret
|
||||||
annotations:
|
annotations:
|
||||||
|
policies.kyverno.io/title: Sync Secrets
|
||||||
policies.kyverno.io/category: Sample
|
policies.kyverno.io/category: Sample
|
||||||
policies.kyverno.io/description: 'Secrets like registry credentials often need
|
policies.kyverno.io/subject: Secret
|
||||||
to exist in multiple Namespaces so Pods there have access. Manually duplicating
|
policies.kyverno.io/description: >-
|
||||||
those Secrets is time consuming and error prone. This policy will copy a Secret
|
Secrets like registry credentials often need to exist in multiple
|
||||||
called `regcred` which exists in the `default` Namespace to new Namespaces when
|
Namespaces so Pods there have access. Manually duplicating those Secrets
|
||||||
they are created. It will also push updates to the copied Secrets should the
|
is time consuming and error prone. This policy will copy a
|
||||||
source Secret be changed. '
|
Secret called `regcred` which exists in the `default` Namespace to
|
||||||
creationTimestamp: "2024-01-15T11:58:24Z"
|
new Namespaces when they are created. It will also push updates to
|
||||||
name: sync-regcred
|
the copied Secrets should the source Secret be changed.
|
||||||
spec:
|
spec:
|
||||||
admission: true
|
|
||||||
background: true
|
|
||||||
generateExisting: true
|
|
||||||
rules:
|
rules:
|
||||||
- generate:
|
- name: sync-image-pull-secret
|
||||||
apiVersion: v1
|
skipBackgroundRequests: true
|
||||||
clone:
|
|
||||||
# name: oceanbox-regcred
|
|
||||||
name: gitlab-pull-secret
|
|
||||||
namespace: default
|
|
||||||
kind: Secret
|
|
||||||
# name: oceanbox-regcred
|
|
||||||
name: gitlab-pull-secret
|
|
||||||
namespace: '{{`{{request.object.metadata.name}}`}}'
|
|
||||||
synchronize: true
|
|
||||||
exclude:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
annotations:
|
|
||||||
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
|
|
||||||
match:
|
match:
|
||||||
any:
|
resources:
|
||||||
- resources:
|
kinds:
|
||||||
kinds:
|
- Namespace
|
||||||
- Namespace
|
generate:
|
||||||
name: sync-oceanbox-regcred
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
name: regcred
|
||||||
|
namespace: "{{`{{request.object.metadata.name}}`}}"
|
||||||
|
synchronize: true
|
||||||
|
clone:
|
||||||
|
namespace: default
|
||||||
|
name: regcred
|
||||||
|
{{- end }}
|
||||||
|
|||||||
Reference in New Issue
Block a user