platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix: fix kyveno policies

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-20 14:55:18 +02:00
parent df7829dfbd
commit f3db2438cf
8 changed files with 34 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/env.yaml
+2
View File
@@ -41,3 +41,5 @@ clusterConfig:
enabled: true
cilium:
enabled: true
kyverno:
enabled: true
values/system/oceanbox/kyverno/add-openfga-secret.yaml
+2 -1
View File
@@ -1,3 +1,4 @@
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
@@ -29,4 +30,4 @@ spec:
uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
skipBackgroundRequests: true
validationFailureAction: Audit
{{- end }}
values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
+2
View File
@@ -1,3 +1,4 @@
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
@@ -173,3 +174,4 @@ spec:
- prod-atlantis-db-replication
annotations:
kyverno/clone: "true"
{{- end }}
values/system/oceanbox/kyverno/sync-gitlab.yaml
+6 -4
View File
@@ -1,12 +1,13 @@
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-gitlab-secret
annotations:
policies.kyverno.io/title: Sync Secrets
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Secret
policies.kyverno.io/description: >-
policies.clusterConfig.kyverno.io/title: Sync Secrets
policies.clusterConfig.kyverno.io/category: Sample
policies.clusterConfig.kyverno.io/subject: Secret
policies.clusterConfig.kyverno.io/description: >-
Secrets like registry credentials often need to exist in multiple
Namespaces so Pods there have access. Manually duplicating those Secrets
is time consuming and error prone. This policy will copy a
@@ -30,3 +31,4 @@ spec:
clone:
namespace: default
name: gitlab-pull-secret
{{- end }}
values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
+4 -4
View File
@@ -1,9 +1,10 @@
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
policies.clusterConfig.kyverno.io/category: Sample
policies.clusterConfig.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
creationTimestamp: "2024-01-15T11:58:24Z"
name: sync-keyvault-secrets
spec:
@@ -28,5 +29,4 @@ spec:
names:
- "*-atlantis"
name: sync-keyvault-secrets
{{- end }}
values/system/oceanbox/kyverno/sync-regcred.yaml
+5 -5
View File
@@ -1,13 +1,13 @@
{{- if .Values.kyverno.enabled }}
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-regcred-secret
annotations:
policies.kyverno.io/title: Sync Secrets
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Secret
policies.kyverno.io/description: >-
policies.clusterConfig.kyverno.io/title: Sync Secrets
policies.clusterConfig.kyverno.io/category: Sample
policies.clusterConfig.kyverno.io/subject: Secret
policies.clusterConfig.kyverno.io/description: >-
Secrets like registry credentials often need to exist in multiple
Namespaces so Pods there have access. Manually duplicating those Secrets
is time consuming and error prone. This policy will copy a
values/system/oceanbox/kyverno/sync-s3-secret.yaml
+4 -4
View File
@@ -1,11 +1,11 @@
{{- if .Values.kyverno.enabled }}
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
policies.kyverno.io/subject: Secret
policies.kyverno.io/title: Sync s3 Secrets
policies.clusterConfig.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
policies.clusterConfig.kyverno.io/subject: Secret
policies.clusterConfig.kyverno.io/title: Sync s3 Secrets
name: sync-s3-credentials
spec:
generateExistingOnPolicyUpdate: true
values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
+6 -6
View File
@@ -1,14 +1,14 @@
{{- if .Values.kyverno.enabled }}
{{- if .Values.clusterConfig.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: whitelist-internal-ingresses
annotations:
policies.kyverno.io/title: Concatenate Ingresss
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
policies.clusterConfig.kyverno.io/title: Concatenate Ingresss
policies.clusterConfig.kyverno.io/category: Other
policies.clusterConfig.kyverno.io/severity: medium
policies.clusterConfig.kyverno.io/subject: Ingress
policies.clusterConfig.kyverno.io/description: >-
Ingresses with the label "internal=true" should be whitelisted.
If no whitelist exists, add the default values, otherwise append
whitelist to the already existing ones