Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/kyverno/policies-values.yaml
+++ b/clusters/noble/bootstrap/kyverno/policies-values.yaml
@@ -0,0 +1,62 @@
+# kyverno/kyverno-policies — Pod Security Standards as Kyverno ClusterPolicies
+#
+# helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
+#   --version 3.7.1 -f clusters/noble/apps/kyverno/policies-values.yaml --wait --timeout 10m
+#
+# Default profile is baseline; validationFailureAction is Audit so existing privileged
+# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
+# surfaces those as “policy violations”. Exclude namespaces that intentionally run
+# outside baseline (see namespace PSA labels under clusters/noble/apps/*/namespace.yaml)
+# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
+#
+# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
+#   kubectl delete clusterpolicyreport --all
+#   kubectl delete policyreport -A --all
+# (Reports are recreated on the next background scan.)
+#
+# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
+# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
+#
+policyKind: ClusterPolicy
+policyType: ClusterPolicy
+podSecurityStandard: baseline
+podSecuritySeverity: medium
+validationFailureAction: Audit
+failurePolicy: Fail
+validationAllowExistingViolations: true
+
+# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/apps).
+x-kyverno-exclude-infra: &kyverno_exclude_infra
+  any:
+    - resources:
+        namespaces:
+          - kube-system
+          - kube-public
+          - kube-node-lease
+          - argocd
+          - cert-manager
+          - external-secrets
+          - headlamp
+          - kyverno
+          - logging
+          - loki
+          - longhorn-system
+          - metallb-system
+          - monitoring
+          - newt
+          - sealed-secrets
+          - traefik
+          - vault
+
+policyExclude:
+  disallow-capabilities: *kyverno_exclude_infra
+  disallow-host-namespaces: *kyverno_exclude_infra
+  disallow-host-path: *kyverno_exclude_infra
+  disallow-host-ports: *kyverno_exclude_infra
+  disallow-host-process: *kyverno_exclude_infra
+  disallow-privileged-containers: *kyverno_exclude_infra
+  disallow-proc-mount: *kyverno_exclude_infra
+  disallow-selinux: *kyverno_exclude_infra
+  restrict-apparmor-profiles: *kyverno_exclude_infra
+  restrict-seccomp: *kyverno_exclude_infra
+  restrict-sysctls: *kyverno_exclude_infra