ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 23 Packages Projects Releases Wiki Activity

feat: basic Kyverno policies chart, AWS Pod Identity policy

Browse Source
This commit is contained in:
Stefan Reimer 2025-06-16 12:42:12 +00:00
parent 3010ccac50
commit 7a81e34eff
12 changed files with 226 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/kubezero-policy/Chart.yaml
View File

@ -20,4 +20,7 @@ dependencies:
version: 3.4.2
repository: https://kyverno.github.io/kyverno/
condition: kyverno.enabled
- name: policies
version: 0.1.0
condition: policies.enabled
kubeVersion: ">= 1.30.0-0"

19
charts/kubezero-policy/README.md
View File

@ -18,6 +18,7 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | policies | 0.1.0 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 |
@ -27,4 +28,22 @@ Kubernetes: `>= 1.30.0-0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| kyverno.admissionController.revisionHistoryLimit | int | `2` | |
| kyverno.backgroundController.revisionHistoryLimit | int | `2` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].apiGroups[0] | string | `"postgresql.cnpg.io"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].resources[0] | string | `"backups"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[0] | string | `"delete"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[1] | string | `"list"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[2] | string | `"watch"` | |
| kyverno.cleanupController.revisionHistoryLimit | int | `2` | |
| kyverno.config.preserve | bool | `false` | |
| kyverno.config.webhookAnnotations."argocd.argoproj.io/installation-id" | string | `"KubeZero-ArgoCD"` | |
| kyverno.crds.migration.enabled | bool | `false` | |
| kyverno.enabled | bool | `false` | |
| kyverno.features.logging.format | string | `"json"` | |
| kyverno.grafana.enabled | bool | `false` | |
| kyverno.policyReportsCleanup.enabled | bool | `false` | |
| kyverno.reportsController.enabled | bool | `false` | |
| kyverno.reportsController.revisionHistoryLimit | int | `2` | |
| kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `true` | |
| kyverno.webhooksCleanup.enabled | bool | `true` | |

18
charts/kubezero-policy/charts/policies/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v2
name: policies
description: KubeZero collection of Kyverno policies
type: application
version: 0.1.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- kyverno
maintainers:
- name: Stefan Reimer
email: stefan@zero-downtime.net
dependencies:
- name: kubezero-lib
version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/
kubeVersion: ">= 1.30.0-0"

18
charts/kubezero-policy/charts/policies/README.md.gotmpl Normal file
View File

@ -0,0 +1,18 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
# Kyverno
{{ template "chart.valuesSection" . }}

69
charts/kubezero-policy/charts/policies/templates/aws/iam-pod-identity.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.aws.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-aws-iam-oidc-mapping
annotations:
policies.kyverno.io/title: AWS Pod Identity
policies.kyverno.io/category: aws
kyverno.io/kyverno-version: 1.14.0
kyverno.io/kubernetes-version: "1.31"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
will get the required environment variables as well as volumes injected
to make the SDKs automatically find and use the IAM role.
spec:
useServerSideApply: true
background: false
rules:
- name: add-aws-iam-oidc-mapping
context:
- name: saAnnotations
apiCall:
urlPath: "/api/v1/namespaces/{{`{{request.namespace}}`}}/serviceaccounts/{{`{{request.object.spec.serviceAccountName}}`}}"
jmesPath: "metadata.annotations || ''"
match:
any:
- resources:
kinds:
- Pod
operations:
- CREATE
preconditions:
all:
- key: "{{`{{request.object.spec.serviceAccountName || '' }}`}}"
operator: NotEquals
value: ""
- key: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" || '' }}`}}"
operator: NotEquals
value: ""
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- (name): "{{`{{ element.name }}`}}"
env:
- name: AWS_REGION
value: {{ .Values.aws.region }}
- name: AWS_ROLE_ARN
value: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" }}`}}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
{{- end }}

62
charts/kubezero-policy/charts/policies/templates/disallow-cri-sock-mount.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if .Values.bestPractices.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
annotations:
policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Container daemon socket bind mounts allows access to the container engine on the
node. This access can be used for privilege escalation and to manage containers
outside of Kubernetes, and hence should not be allowed. This policy validates that
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
to or replacement of this policy, preventing users from mounting the parent directories
(/var/run and /var) may be necessary to completely prevent socket bind mounts.
spec:
validationFailureAction: Audit
background: true
rules:
- name: validate-socket-mounts
match:
any:
- resources:
kinds:
- Pod
operations:
- CREATE
- UPDATE
validate:
cel:
variables:
- name: hasVolumes
expression: "!has(object.spec.volumes)"
- name: volumes
expression: "object.spec.volumes"
- name: volumesWithHostPath
expression: "variables.volumes.filter(volume, has(volume.hostPath))"
expressions:
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
message: "Use of the Docker Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
message: "Use of the Containerd Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
message: "Use of the CRI-O Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
message: "Use of the Docker CRI socket is not allowed."
{{- end }}

9
charts/kubezero-policy/charts/policies/update.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
set -ex
. ../../scripts/lib-update.sh
login_ecr_public
update_helm
update_docs

6
charts/kubezero-policy/charts/policies/values.yaml Normal file
View File

@ -0,0 +1,6 @@
bestPractices:
enabled: false
aws:
enabled: false
region: us-west-2

3
charts/kubezero-policy/values.yaml
View File

@ -5,7 +5,7 @@ kyverno:
policyReportsCleanup:
enabled: false
webhooksCleanup:
enabled: false
enabled: true
autoDeleteWebhooks:
enabled: true
@ -51,7 +51,6 @@ kyverno:
backgroundController:
revisionHistoryLimit: 2
enabled: false
reportsController:
revisionHistoryLimit: 2

8
charts/kubezero/templates/policy.yaml
View File

@ -23,6 +23,14 @@ kyverno:
reportsController:
serviceMonitor:
enabled: {{ .Values.metrics.enabled }}
policies:
{{- if eq .Values.global.platform "aws" }}
aws:
enabled: true
region: {{ .global.aws.region }}
{{- end }}
{{- end }}
{{- define "policy-argo" }}

10
charts/kubezero/values.yaml
View File

@ -30,11 +30,6 @@ addons:
aws-eks-asg-rolling-update-handler:
enabled: false
policy:
enabled: false
namespace: kyverno
targetRevision: 0.1.0
network:
enabled: true
retain: true
@ -42,6 +37,11 @@ network:
cilium:
enabled: true
policy:
enabled: false
namespace: kyverno
targetRevision: 0.1.0
cert-manager:
enabled: false
namespace: cert-manager

9
docs/kube-bench.yaml
View File

@ -1,4 +1,10 @@
---
#apiVersion: v1
#kind: ServiceAccount
#metadata:
# name: kube-bench
# annotations:
# kubezero.com/aws-iam-role-arn: arn:aws:iam::123456789012:role/kube-bench
#---
apiVersion: batch/v1
kind: Job
metadata:
@ -9,6 +15,7 @@ spec:
labels:
app: kube-bench
spec:
# serviceAccountName: kube-bench
containers:
- command: ["kube-bench"]
#args: