67 lines
2.7 KiB
YAML
67 lines
2.7 KiB
YAML
# kyverno/kyverno-policies — Pod Security Standards as Kyverno ClusterPolicies
|
|
#
|
|
# helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
|
|
# --version 3.8.0 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
|
|
#
|
|
# Default profile is baseline; validationFailureAction is Audit so existing privileged
|
|
# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
|
|
# surfaces those as “policy violations”. Exclude namespaces that intentionally run
|
|
# outside baseline (see namespace PSA labels under clusters/noble/bootstrap/*/namespace.yaml)
|
|
# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
|
|
#
|
|
# failurePolicy **Ignore** (chart default is Fail): when the apiserver cannot reach Kyverno
|
|
# within the webhook timeout (e.g. admission overloaded during Helm hooks / Longhorn
|
|
# post-upgrade Job), Fail denies the request and breaks installs. Ignore allows the request
|
|
# through on transport failure only — policy violations are still handled per
|
|
# validationFailureAction when Kyverno responds.
|
|
#
|
|
# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
|
|
# kubectl delete clusterpolicyreport --all
|
|
# kubectl delete policyreport -A --all
|
|
# (Reports are recreated on the next background scan.)
|
|
#
|
|
# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
|
|
# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
|
|
#
|
|
policyKind: ClusterPolicy
|
|
policyType: ClusterPolicy
|
|
podSecurityStandard: baseline
|
|
podSecuritySeverity: medium
|
|
validationFailureAction: Audit
|
|
failurePolicy: Ignore
|
|
validationAllowExistingViolations: true
|
|
|
|
# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/bootstrap). Includes **trivy-system**.
|
|
x-kyverno-exclude-infra: &kyverno_exclude_infra
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- kube-system
|
|
- kube-public
|
|
- kube-node-lease
|
|
- argocd
|
|
- cert-manager
|
|
- headlamp
|
|
- kyverno
|
|
- logging
|
|
- loki
|
|
- longhorn-system
|
|
- metallb-system
|
|
- monitoring
|
|
- newt
|
|
- traefik
|
|
- trivy-system
|
|
|
|
policyExclude:
|
|
disallow-capabilities: *kyverno_exclude_infra
|
|
disallow-host-namespaces: *kyverno_exclude_infra
|
|
disallow-host-path: *kyverno_exclude_infra
|
|
disallow-host-ports: *kyverno_exclude_infra
|
|
disallow-host-process: *kyverno_exclude_infra
|
|
disallow-privileged-containers: *kyverno_exclude_infra
|
|
disallow-proc-mount: *kyverno_exclude_infra
|
|
disallow-selinux: *kyverno_exclude_infra
|
|
restrict-apparmor-profiles: *kyverno_exclude_infra
|
|
restrict-seccomp: *kyverno_exclude_infra
|
|
restrict-sysctls: *kyverno_exclude_infra
|