feat: first working Kyverno Policy integration

2025-06-11 17:59:03 +00:00 · 2025-06-11 17:59:03 +00:00 · 3010ccac50
commit 3010ccac50
parent de0a68cd81
3 changed files with 70 additions and 14 deletions
--- a/charts/kubezero-mq/values.yaml
+++ b/charts/kubezero-mq/values.yaml
@ -3,6 +3,10 @@ nats:
  enabled: false

  config:
+    cluster:
+      routeURLs:
+        useFQDN: true
+
    jetstream:
      enabled: true

--- a/charts/kubezero-policy/values.yaml
+++ b/charts/kubezero-policy/values.yaml
@ -1,28 +1,58 @@
 kyverno:
  enabled: false

+  # Disable hooks being triggered during each sync
+  policyReportsCleanup:
+    enabled: false
+  webhooksCleanup:
+    enabled: false
+    autoDeleteWebhooks:
+      enabled: true
+
+  crds:
+    migration:
+      enabled: false
+
 # templating:
 #   enabled: true

+  config:
+    preserve: false
+    webhookAnnotations:
+      argocd.argoproj.io/installation-id: KubeZero-ArgoCD
+      # Unfortunately Argo needs different values for Mutating and Validating hooks so disabled for now
+      # argocd.argoproj.io/tracking-id: policy:/ServiceAccount:kyverno/kyverno-admission-controller
+
+  features:
+    logging:
+      format: json
+
+  # Enabled via kubezero global metrics flag
+  grafana:
+    enabled: false
+
  admissionController:
    revisionHistoryLimit: 2

-    nodeSelector:
-      node-role.kubernetes.io/control-plane: ""
-    tolerations:
-    - key: node-role.kubernetes.io/control-plane
-      effect: NoSchedule
-
-#   container:
-#     extraArgs:
-#       caSecretName: kubezero-policy-admission-tls
-#       tlsSecretName: kubezero-policy-admission-tls
+  cleanupController:
+    revisionHistoryLimit: 2
+    rbac:
+      clusterRole:
+        extraResources:
+          # Allow to clean up postgreSQL backups
+          - apiGroups:
+              - postgresql.cnpg.io
+            resources:
+              - backups
+            verbs:
+              - delete
+              - list
+              - watch

  backgroundController:
+    revisionHistoryLimit: 2
    enabled: false

-# cleanupController:
-#   enabled: false
-
  reportsController:
+    revisionHistoryLimit: 2
    enabled: false
--- a/charts/kubezero/templates/policy.yaml
+++ b/charts/kubezero/templates/policy.yaml
@ -1,6 +1,28 @@
 {{- define "policy-values" }}
 kyverno:
-  dummy: test
+  {{- if eq .Values.global.platform "aws" }}
+  global:
+    {{- include "kubezero-lib.control-plane" . | nindent 4 }}
+  {{- end }}
+
+  grafana:
+    enabled: {{ .Values.metrics.enabled }}
+
+  admissionController:
+    serviceMonitor:
+      enabled: {{ .Values.metrics.enabled }}
+
+  cleanupController:
+    serviceMonitor:
+      enabled: {{ .Values.metrics.enabled }}
+
+  backgroundController:
+    serviceMonitor:
+      enabled: {{ .Values.metrics.enabled }}
+
+  reportsController:
+    serviceMonitor:
+      enabled: {{ .Values.metrics.enabled }}
 {{- end }}

 {{- define "policy-argo" }}