diff --git a/platform/kyverno/policies/cleanup-rbac.yaml b/platform/kyverno/policies/cleanup-rbac.yaml index 4b77d0b..d008ca4 100644 --- a/platform/kyverno/policies/cleanup-rbac.yaml +++ b/platform/kyverno/policies/cleanup-rbac.yaml @@ -4,6 +4,8 @@ metadata: name: kyverno:cleanup-pods labels: rbac.kyverno.io/aggregate-to-cleanup-controller: "true" + annotations: + argocd.argoproj.io/sync-wave: "-1" rules: - apiGroups: [""] resources: ["pods"] diff --git a/platform/kyverno/policies/generate-ns-network-baseline.yaml b/platform/kyverno/policies/generate-ns-network-baseline.yaml new file mode 100644 index 0000000..25c1900 --- /dev/null +++ b/platform/kyverno/policies/generate-ns-network-baseline.yaml @@ -0,0 +1,54 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-ns-network-baseline + annotations: + policies.kyverno.io/title: Inject Namespace Baseline CNP + policies.kyverno.io/description: Automatically provisions a local default-deny + DNS egress CNP inside new application namespaces. +spec: + background: true + rules: + - name: inject-local-cnp + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - default + - kube-system + - kube-public + - kube-node-lease + - argocd + - kyverno + - cilium-ingress + - cilium-secrets + - cert-manager + - sealed-secrets + - nfs-subdir-external-provisioner + generate: + apiVersion: cilium.io/v2 + kind: CiliumNetworkPolicy + name: baseline-network-security + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + spec: + endpointSelector: {} + ingress: + - {} + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: ANY + rules: + dns: + - matchPattern: "*" diff --git a/platform/kyverno/policies/kustomization.yaml b/platform/kyverno/policies/kustomization.yaml index 3e4656c..c869356 100644 --- a/platform/kyverno/policies/kustomization.yaml +++ b/platform/kyverno/policies/kustomization.yaml @@ -5,3 +5,5 @@ resources: - cleanup-rbac.yaml - purge-terminal-pods.yaml - disallow-latest-tag.yaml + - kyverno-cilium-rbac.yaml + - generate-ns-network-baseline.yaml diff --git a/platform/kyverno/policies/kyverno-cilium-rbac.yaml b/platform/kyverno/policies/kyverno-cilium-rbac.yaml new file mode 100644 index 0000000..b62c1b7 --- /dev/null +++ b/platform/kyverno/policies/kyverno-cilium-rbac.yaml @@ -0,0 +1,52 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generate-cilium-cnps + labels: + kyverno.io/aggregate-to-background: "true" + kyverno.io/aggregate-to-reports: "true" + annotations: + argocd.argoproj.io/sync-wave: "-1" +rules: + - apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + verbs: + - create + - update + - patch + - delete + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generate-cilium-cnps-background-binding +subjects: + - kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +roleRef: + kind: ClusterRole + name: kyverno:generate-cilium-cnps + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generate-cilium-cnps-admission-binding + annotations: + argocd.argoproj.io/sync-wave: "-1" +subjects: + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +roleRef: + kind: ClusterRole + name: kyverno:generate-cilium-cnps + apiGroup: rbac.authorization.k8s.io