63 lines
2.3 KiB
YAML
63 lines
2.3 KiB
YAML
# kyverno/kyverno-policies — Pod Security Standards as Kyverno ClusterPolicies
|
|
#
|
|
# helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
|
|
# --version 3.7.1 -f clusters/noble/apps/kyverno/policies-values.yaml --wait --timeout 10m
|
|
#
|
|
# Default profile is baseline; validationFailureAction is Audit so existing privileged
|
|
# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp
|
|
# surfaces those as “policy violations”. Exclude namespaces that intentionally run
|
|
# outside baseline (see namespace PSA labels under clusters/noble/apps/*/namespace.yaml)
|
|
# plus core Kubernetes namespaces and every Ansible-managed app namespace on noble.
|
|
#
|
|
# After widening excludes, Kyverno does not always prune old PolicyReport rows; refresh:
|
|
# kubectl delete clusterpolicyreport --all
|
|
# kubectl delete policyreport -A --all
|
|
# (Reports are recreated on the next background scan.)
|
|
#
|
|
# Exclude blocks omit `kinds` so the same namespace skip applies to autogen rules for
|
|
# Deployments, DaemonSets, etc. (see kyverno/kyverno#4306).
|
|
#
|
|
policyKind: ClusterPolicy
|
|
policyType: ClusterPolicy
|
|
podSecurityStandard: baseline
|
|
podSecuritySeverity: medium
|
|
validationFailureAction: Audit
|
|
failurePolicy: Fail
|
|
validationAllowExistingViolations: true
|
|
|
|
# All platform namespaces on noble (ansible/playbooks/noble.yml + clusters/noble/apps).
|
|
x-kyverno-exclude-infra: &kyverno_exclude_infra
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- kube-system
|
|
- kube-public
|
|
- kube-node-lease
|
|
- argocd
|
|
- cert-manager
|
|
- external-secrets
|
|
- headlamp
|
|
- kyverno
|
|
- logging
|
|
- loki
|
|
- longhorn-system
|
|
- metallb-system
|
|
- monitoring
|
|
- newt
|
|
- sealed-secrets
|
|
- traefik
|
|
- vault
|
|
|
|
policyExclude:
|
|
disallow-capabilities: *kyverno_exclude_infra
|
|
disallow-host-namespaces: *kyverno_exclude_infra
|
|
disallow-host-path: *kyverno_exclude_infra
|
|
disallow-host-ports: *kyverno_exclude_infra
|
|
disallow-host-process: *kyverno_exclude_infra
|
|
disallow-privileged-containers: *kyverno_exclude_infra
|
|
disallow-proc-mount: *kyverno_exclude_infra
|
|
disallow-selinux: *kyverno_exclude_infra
|
|
restrict-apparmor-profiles: *kyverno_exclude_infra
|
|
restrict-seccomp: *kyverno_exclude_infra
|
|
restrict-sysctls: *kyverno_exclude_infra
|