home-server/clusters/noble/bootstrap/kyverno/README.md

Kyverno (noble)

Admission policies using Kyverno. The main chart installs controllers and CRDs; kyverno-policies installs Pod Security Standard rules matching the baseline profile in Audit mode (violations are visible in policy reports; workloads are not denied).

• Charts: kyverno/kyverno 3.7.1 (app v1.17.1), kyverno/kyverno-policies 3.7.1
• Namespace: kyverno

Install

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
helm upgrade --install kyverno kyverno/kyverno -n kyverno \
  --version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
  --version 3.7.1 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m

Verify:

kubectl -n kyverno get pods
kubectl get clusterpolicy | head

Notes

• validationFailureAction: Audit in policies-values.yaml avoids breaking namespaces that need privileged behavior (Longhorn, monitoring node-exporter, etc.). Switch specific policies or namespaces to Enforce when you are ready.
• To use restricted instead of baseline, change podSecurityStandard in policies-values.yaml and reconcile expectations for host mounts and capabilities.
• Upgrade: bump --version on both charts together; read Kyverno release notes for breaking changes.