From 3010ccac50d26cd47e7b40495fe6c6aca897c70e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 11 Jun 2025 17:59:03 +0000 Subject: [PATCH] feat: first working Kyverno Policy integration --- charts/kubezero-mq/values.yaml | 4 ++ charts/kubezero-policy/values.yaml | 56 ++++++++++++++++++++------- charts/kubezero/templates/policy.yaml | 24 +++++++++++- 3 files changed, 70 insertions(+), 14 deletions(-) diff --git a/charts/kubezero-mq/values.yaml b/charts/kubezero-mq/values.yaml index ee0ef870..0fd9f533 100644 --- a/charts/kubezero-mq/values.yaml +++ b/charts/kubezero-mq/values.yaml @@ -3,6 +3,10 @@ nats: enabled: false config: + cluster: + routeURLs: + useFQDN: true + jetstream: enabled: true diff --git a/charts/kubezero-policy/values.yaml b/charts/kubezero-policy/values.yaml index 562b4896..daaa5b49 100644 --- a/charts/kubezero-policy/values.yaml +++ b/charts/kubezero-policy/values.yaml @@ -1,28 +1,58 @@ kyverno: enabled: false + # Disable hooks being triggered during each sync + policyReportsCleanup: + enabled: false + webhooksCleanup: + enabled: false + autoDeleteWebhooks: + enabled: true + + crds: + migration: + enabled: false + # templating: # enabled: true + config: + preserve: false + webhookAnnotations: + argocd.argoproj.io/installation-id: KubeZero-ArgoCD + # Unfortunately Argo needs different values for Mutating and Validating hooks so disabled for now + # argocd.argoproj.io/tracking-id: policy:/ServiceAccount:kyverno/kyverno-admission-controller + + features: + logging: + format: json + + # Enabled via kubezero global metrics flag + grafana: + enabled: false + admissionController: revisionHistoryLimit: 2 - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - -# container: -# extraArgs: -# caSecretName: kubezero-policy-admission-tls -# tlsSecretName: kubezero-policy-admission-tls + cleanupController: + revisionHistoryLimit: 2 + rbac: + clusterRole: + extraResources: + # Allow to clean up postgreSQL backups + - apiGroups: + - postgresql.cnpg.io + resources: + - backups + verbs: + - delete + - list + - watch backgroundController: + revisionHistoryLimit: 2 enabled: false -# cleanupController: -# enabled: false - reportsController: + revisionHistoryLimit: 2 enabled: false diff --git a/charts/kubezero/templates/policy.yaml b/charts/kubezero/templates/policy.yaml index df56e9bf..3ce4b78d 100644 --- a/charts/kubezero/templates/policy.yaml +++ b/charts/kubezero/templates/policy.yaml @@ -1,6 +1,28 @@ {{- define "policy-values" }} kyverno: - dummy: test + {{- if eq .Values.global.platform "aws" }} + global: + {{- include "kubezero-lib.control-plane" . | nindent 4 }} + {{- end }} + + grafana: + enabled: {{ .Values.metrics.enabled }} + + admissionController: + serviceMonitor: + enabled: {{ .Values.metrics.enabled }} + + cleanupController: + serviceMonitor: + enabled: {{ .Values.metrics.enabled }} + + backgroundController: + serviceMonitor: + enabled: {{ .Values.metrics.enabled }} + + reportsController: + serviceMonitor: + enabled: {{ .Values.metrics.enabled }} {{- end }} {{- define "policy-argo" }}