add kyverno no latest

Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-05 21:31:00 +00:00 · 2026-05-17 17:14:37 -04:00 · 2026-05-17 17:14:37 -04:00 · a39d676252
commit a39d676252
parent adc6cdb0bc
6 changed files with 66 additions and 1 deletions
--- a/management/platform-apps/kustomization.yaml
+++ b/management/platform-apps/kustomization.yaml
@ -6,5 +6,6 @@ resources:
  - kyverno-policies.yaml
  - tetragon-core.yaml
  - tetragon-policies.yaml
+  - sealed-secrets.yaml
  - forgejo.yaml
  - navidrome.yaml
--- a/management/platform-apps/sealed-secrets.yaml
+++ b/management/platform-apps/sealed-secrets.yaml
@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sealed-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    path: platform/sealed-secrets
+    repoURL: 'https://github.com/gwg313/homelab-gitops.git'
+    targetRevision: main
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: sealed-secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
--- a/platform/kyverno/policies/disallow-latest-tag.yaml
+++ b/platform/kyverno/policies/disallow-latest-tag.yaml
@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-latest-tag
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-image-tag
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
+        foreach:
+          - list: "request.object.spec.containers"
+            deny:
+              conditions:
+                any:
+                  - key: "{{ regex_match('^.*:latest$', '{{ element.image }}') }}"
+                    operator: Equals
+                    value: true
+                  - key: "{{ !contains('{{ element.image }}', ':') }}"
+                    operator: Equals
+                    value: true
--- a/platform/kyverno/policies/kustomization.yaml
+++ b/platform/kyverno/policies/kustomization.yaml
@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - purge-terminal-pods.yaml
  - cleanup-rbac.yaml
+  - purge-terminal-pods.yaml
+  - disallow-latest-tag.yaml
--- a/platform/sealed-secrets/Chart.yaml
+++ b/platform/sealed-secrets/Chart.yaml
@ -0,0 +1,11 @@
+apiVersion: v2
+name: sealed-secrets
+description: Sealed Secrets
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+
+dependencies:
+  - name: sealed-secrets
+    version: 2.18.5
+    repository: https://bitnami-labs.github.io/sealed-secrets
--- a/platform/sealed-secrets/values.yaml
+++ b/platform/sealed-secrets/values.yaml
@ -0,0 +1,2 @@
+sealed-secrets:
+  fullnameOverride: sealed-secrets-controller