mirror of
https://github.com/gwg313/homelab-gitops.git
synced 2026-06-06 00:41:01 +00:00
add kyverno no latest
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
adc6cdb0bc
commit
a39d676252
GPG key ID:
60FF63B4826B7400
6 changed files with 66 additions and 1 deletions
|
|
@ -6,5 +6,6 @@ resources:
|
||||||
- kyverno-policies.yaml
|
- kyverno-policies.yaml
|
||||||
- tetragon-core.yaml
|
- tetragon-core.yaml
|
||||||
- tetragon-policies.yaml
|
- tetragon-policies.yaml
|
||||||
|
- sealed-secrets.yaml
|
||||||
- forgejo.yaml
|
- forgejo.yaml
|
||||||
- navidrome.yaml
|
- navidrome.yaml
|
||||||
|
|
|
||||||
23
management/platform-apps/sealed-secrets.yaml
Normal file
23
management/platform-apps/sealed-secrets.yaml
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: sealed-secrets
|
||||||
|
namespace: argocd
|
||||||
|
finalizers:
|
||||||
|
- resources-finalizer.argocd.argoproj.io
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
path: platform/sealed-secrets
|
||||||
|
repoURL: 'https://github.com/gwg313/homelab-gitops.git'
|
||||||
|
targetRevision: main
|
||||||
|
destination:
|
||||||
|
server: 'https://kubernetes.default.svc'
|
||||||
|
namespace: sealed-secrets
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
|
- ServerSideApply=true
|
||||||
27
platform/kyverno/policies/disallow-latest-tag.yaml
Normal file
27
platform/kyverno/policies/disallow-latest-tag.yaml
Normal file
|
|
@ -0,0 +1,27 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: disallow-latest-tag
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- name: validate-image-tag
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
validate:
|
||||||
|
message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
|
||||||
|
foreach:
|
||||||
|
- list: "request.object.spec.containers"
|
||||||
|
deny:
|
||||||
|
conditions:
|
||||||
|
any:
|
||||||
|
- key: "{{ regex_match('^.*:latest$', '{{ element.image }}') }}"
|
||||||
|
operator: Equals
|
||||||
|
value: true
|
||||||
|
- key: "{{ !contains('{{ element.image }}', ':') }}"
|
||||||
|
operator: Equals
|
||||||
|
value: true
|
||||||
|
|
@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- purge-terminal-pods.yaml
|
|
||||||
- cleanup-rbac.yaml
|
- cleanup-rbac.yaml
|
||||||
|
- purge-terminal-pods.yaml
|
||||||
|
- disallow-latest-tag.yaml
|
||||||
|
|
|
||||||
11
platform/sealed-secrets/Chart.yaml
Normal file
11
platform/sealed-secrets/Chart.yaml
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v2
|
||||||
|
name: sealed-secrets
|
||||||
|
description: Sealed Secrets
|
||||||
|
type: application
|
||||||
|
version: 1.0.0
|
||||||
|
appVersion: 1.0.0
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- name: sealed-secrets
|
||||||
|
version: 2.18.5
|
||||||
|
repository: https://bitnami-labs.github.io/sealed-secrets
|
||||||
2
platform/sealed-secrets/values.yaml
Normal file
2
platform/sealed-secrets/values.yaml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
sealed-secrets:
|
||||||
|
fullnameOverride: sealed-secrets-controller
|
||||||
Loading…
Add table
Add a link
Reference in a new issue