Compare commits

..

1 Commits

Author SHA1 Message Date
2808b53b35 chore(deps): update helm release falco to v5.0.3 2025-06-06 03:01:57 +00:00
20 changed files with 21 additions and 378 deletions

View File

@ -1,6 +1,6 @@
# kubezero-argo # kubezero-argo
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square)
KubeZero Argo - Events, Workflow, CD KubeZero Argo - Events, Workflow, CD
@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| https://argoproj.github.io/argo-helm | argo-cd | 8.0.14 | | https://argoproj.github.io/argo-helm | argo-cd | 8.0.9 |
| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 | | https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.2 | | https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
## Values ## Values
@ -53,7 +53,7 @@ Kubernetes: `>= 1.30.0-0`
| argo-cd.dex.enabled | bool | `false` | | | argo-cd.dex.enabled | bool | `false` | |
| argo-cd.enabled | bool | `false` | | | argo-cd.enabled | bool | `false` | |
| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | | | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | |
| argo-cd.global.image.tag | string | `"v3.0.5"` | | | argo-cd.global.image.tag | string | `"v3.0.3"` | |
| argo-cd.global.logging.format | string | `"json"` | | | argo-cd.global.logging.format | string | `"json"` | |
| argo-cd.global.networkPolicy.create | bool | `true` | | | argo-cd.global.networkPolicy.create | bool | `true` | |
| argo-cd.istio.enabled | bool | `false` | | | argo-cd.istio.enabled | bool | `false` | |
@ -83,8 +83,8 @@ Kubernetes: `>= 1.30.0-0`
| argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message | | argo-events.configs.jetstream.streamConfig.maxMsgs | int | `1000000` | Maximum number of messages before expiring oldest message |
| argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 | | argo-events.configs.jetstream.streamConfig.replicas | int | `1` | Number of replicas, defaults to 3 and requires minimal 3 |
| argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` | | | argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.14.1"` | |
| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.3"` | | | argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.2"` | |
| argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.4-scratch"` | | | argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.1-scratch"` | |
| argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` | | | argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` | |
| argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` | | | argo-events.configs.jetstream.versions[0].version | string | `"2.10.11"` | |
| argo-events.enabled | bool | `false` | | | argo-events.enabled | bool | `false` | |

View File

@ -26,7 +26,6 @@ spec:
prune: true prune: true
syncOptions: syncOptions:
- ApplyOutOfSyncOnly=true - ApplyOutOfSyncOnly=true
- ServerSideApply=true
info: info:
- name: "Source:" - name: "Source:"
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.32/" value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.32/"

View File

@ -27,7 +27,7 @@ argo-events:
- version: 2.10.11 - version: 2.10.11
natsImage: nats:2.11.4-scratch natsImage: nats:2.11.4-scratch
metricsExporterImage: natsio/prometheus-nats-exporter:0.17.3 metricsExporterImage: natsio/prometheus-nats-exporter:0.17.3
configReloaderImage: natsio/nats-server-config-reloader:0.18.0 configReloaderImage: natsio/nats-server-config-reloader:0.14.1
startCommand: /nats-server startCommand: /nats-server
argo-cd: argo-cd:
@ -38,7 +38,7 @@ argo-cd:
format: json format: json
image: image:
repository: public.ecr.aws/zero-downtime/zdt-argocd repository: public.ecr.aws/zero-downtime/zdt-argocd
tag: v3.0.5 tag: v3.0.3
networkPolicy: networkPolicy:
create: true create: true
@ -63,10 +63,6 @@ argo-cd:
application.instanceLabelKey: Null application.instanceLabelKey: Null
server.rbac.log.enforce.enable: Null server.rbac.log.enforce.enable: Null
resource.compareoptions: |
# disables status field diffing in specified resource types
ignoreAggregatedRoles: true
resource.customizations: | resource.customizations: |
argoproj.io/Application: argoproj.io/Application:
health.lua: | health.lua: |

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-falco name: kubezero-falco
description: Falco Container Security and Audit components description: Falco Container Security and Audit components
type: application type: application
version: 0.1.3 version: 0.1.4
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: 0.2.1 version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: falco - name: falco
version: 5.0.0 version: 5.0.3
repository: https://falcosecurity.github.io/charts repository: https://falcosecurity.github.io/charts
condition: k8saudit.enabled condition: k8saudit.enabled
alias: k8saudit alias: k8saudit

View File

@ -3,10 +3,6 @@ nats:
enabled: false enabled: false
config: config:
cluster:
routeURLs:
useFQDN: true
jetstream: jetstream:
enabled: true enabled: true

View File

@ -13,14 +13,8 @@ maintainers:
- name: Stefan Reimer - name: Stefan Reimer
email: stefan@zero-downtime.net email: stefan@zero-downtime.net
dependencies: dependencies:
- name: kubezero-lib
version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/
- name: kyverno - name: kyverno
version: 3.4.2 version: 3.4.2
repository: https://kyverno.github.io/kyverno/ repository: https://kyverno.github.io/kyverno/
condition: kyverno.enabled condition: kyverno.enabled
- name: policies
version: 0.1.0
condition: policies.enabled
kubeVersion: ">= 1.30.0-0" kubeVersion: ">= 1.30.0-0"

View File

@ -18,8 +18,6 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | policies | 0.1.0 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 | | https://kyverno.github.io/kyverno/ | kyverno | 3.4.2 |
# Kyverno # Kyverno
@ -28,22 +26,4 @@ Kubernetes: `>= 1.30.0-0`
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| kyverno.admissionController.revisionHistoryLimit | int | `2` | |
| kyverno.backgroundController.revisionHistoryLimit | int | `2` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].apiGroups[0] | string | `"postgresql.cnpg.io"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].resources[0] | string | `"backups"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[0] | string | `"delete"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[1] | string | `"list"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[2] | string | `"watch"` | |
| kyverno.cleanupController.revisionHistoryLimit | int | `2` | |
| kyverno.config.preserve | bool | `false` | |
| kyverno.config.webhookAnnotations."argocd.argoproj.io/installation-id" | string | `"KubeZero-ArgoCD"` | |
| kyverno.crds.migration.enabled | bool | `false` | |
| kyverno.enabled | bool | `false` | | | kyverno.enabled | bool | `false` | |
| kyverno.features.logging.format | string | `"json"` | |
| kyverno.grafana.enabled | bool | `false` | |
| kyverno.policyReportsCleanup.enabled | bool | `false` | |
| kyverno.reportsController.enabled | bool | `false` | |
| kyverno.reportsController.revisionHistoryLimit | int | `2` | |
| kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `true` | |
| kyverno.webhooksCleanup.enabled | bool | `true` | |

View File

@ -1,18 +0,0 @@
apiVersion: v2
name: policies
description: KubeZero collection of Kyverno policies
type: application
version: 0.1.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- kyverno
maintainers:
- name: Stefan Reimer
email: stefan@zero-downtime.net
dependencies:
- name: kubezero-lib
version: 0.2.1
repository: https://cdn.zero-downtime.net/charts/
kubeVersion: ">= 1.30.0-0"

View File

@ -1,18 +0,0 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
# Kyverno
{{ template "chart.valuesSection" . }}

View File

@ -1,70 +0,0 @@
{{- if .Values.aws.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-aws-iam-pod-identity
annotations:
policies.kyverno.io/title: AWS Pod Identity
policies.kyverno.io/category: aws
kyverno.io/kyverno-version: 1.14.0
kyverno.io/kubernetes-version: "1.31"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This provides the EKS Pod Identity Webhook functionality for KubeZero.
Pods having a service account annotated with \"kubezero.com/aws-iam-role-arn\"
will get the required environment variables as well as volumes injected
to make the SDKs automatically find and use the IAM role.
spec:
useServerSideApply: true
background: false
rules:
- name: add-aws-iam-oidc-mapping
context:
- name: saAnnotations
apiCall:
urlPath: "/api/v1/namespaces/{{`{{request.namespace}}`}}/serviceaccounts/{{`{{request.object.spec.serviceAccountName}}`}}"
jmesPath: "metadata.annotations || ''"
match:
any:
- resources:
kinds:
- Pod
operations:
- CREATE
preconditions:
all:
- key: "{{`{{request.object.spec.serviceAccountName || '' }}`}}"
operator: NotEquals
value: ""
- key: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" || '' }}`}}"
operator: NotEquals
value: ""
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- (name): "{{`{{ element.name }}`}}"
env:
- name: AWS_REGION
value: {{ .Values.aws.region }}
- name: AWS_ROLE_ARN
value: "{{`{{ saAnnotations.\"kubezero.com/aws-iam-role-arn\" }}`}}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
{{- end }}

View File

@ -1,62 +0,0 @@
{{- if .Values.bestPractices.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-container-sock-mounts
annotations:
policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.11.0
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Container daemon socket bind mounts allows access to the container engine on the
node. This access can be used for privilege escalation and to manage containers
outside of Kubernetes, and hence should not be allowed. This policy validates that
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
to or replacement of this policy, preventing users from mounting the parent directories
(/var/run and /var) may be necessary to completely prevent socket bind mounts.
spec:
background: true
rules:
- name: validate-socket-mounts
match:
any:
- resources:
kinds:
- Pod
operations:
- CREATE
- UPDATE
validate:
failureAction: Enforce
cel:
variables:
- name: hasVolumes
expression: "!has(object.spec.volumes)"
- name: volumes
expression: "object.spec.volumes"
- name: volumesWithHostPath
expression: "variables.volumes.filter(volume, has(volume.hostPath))"
expressions:
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
message: "Use of the Docker Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
message: "Use of the Containerd Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
message: "Use of the CRI-O Unix socket is not allowed."
- expression: >-
variables.hasVolumes ||
variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
message: "Use of the Docker CRI socket is not allowed."
{{- end }}

View File

@ -1,9 +0,0 @@
#!/bin/bash
set -ex
. ../../scripts/lib-update.sh
login_ecr_public
update_helm
update_docs

View File

@ -1,6 +0,0 @@
bestPractices:
enabled: false
aws:
enabled: false
region: us-west-2

View File

@ -1,52 +0,0 @@
{{- if and false .Values.kyverno.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "kubezero-lib.fullname" . }}-admission-tls
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | nindent 4 }}
spec:
secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-svc.{{ .Release.Namespace }}.svc.kyverno-tls-pair
issuerRef:
name: kubezero-local-ca-issuer
kind: ClusterIssuer
duration: 8760h0m0s
privateKey:
encoding: PKCS8
usages:
- "client auth"
- "server auth"
commonName: {{ template "kubezero-lib.fullname" . }}-admission
dnsNames:
# <cluster-name>-<nodepool-component>-<index>
- 'kyverno-svc'
- 'kyverno-svc.{{ .Release.Namespace }}'
- 'kyverno-svc.{{ .Release.Namespace }}.svc'
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "kubezero-lib.fullname" . }}-cleanup-tls
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | nindent 4 }}
spec:
secretName: {{ template "kubezero-lib.fullname" . }}-kyverno-cleanup-controller.{{ .Release.Namespace }}.svc.kyverno-tls-pair
issuerRef:
name: kubezero-local-ca-issuer
kind: ClusterIssuer
duration: 8760h0m0s
privateKey:
encoding: PKCS8
usages:
- "client auth"
- "server auth"
commonName: {{ template "kubezero-lib.fullname" . }}-cleanup-controller
dnsNames:
# <cluster-name>-<nodepool-component>-<index>
- 'kyverno-cleanup-controller'
- 'kyverno-cleanup-controller.{{ .Release.Namespace }}'
- 'kyverno-cleanup-controller.{{ .Release.Namespace }}.svc'
{{- end }}

View File

@ -1,57 +1,2 @@
kyverno: kyverno:
enabled: false enabled: false
# Disable hooks being triggered during each sync
policyReportsCleanup:
enabled: false
webhooksCleanup:
enabled: true
autoDeleteWebhooks:
enabled: true
crds:
migration:
enabled: false
# templating:
# enabled: true
config:
preserve: false
webhookAnnotations:
argocd.argoproj.io/installation-id: KubeZero-ArgoCD
# Unfortunately Argo needs different values for Mutating and Validating hooks so disabled for now
# argocd.argoproj.io/tracking-id: policy:/ServiceAccount:kyverno/kyverno-admission-controller
features:
logging:
format: json
# Enabled via kubezero global metrics flag
grafana:
enabled: false
admissionController:
revisionHistoryLimit: 2
cleanupController:
revisionHistoryLimit: 2
rbac:
clusterRole:
extraResources:
# Allow to clean up postgreSQL backups
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
verbs:
- delete
- list
- watch
backgroundController:
revisionHistoryLimit: 2
reportsController:
revisionHistoryLimit: 2
enabled: false

View File

@ -10,8 +10,7 @@ metadata:
labels: labels:
{{- include "kubezero-lib.labels" . | nindent 4 }} {{- include "kubezero-lib.labels" . | nindent 4 }}
annotations: annotations:
argocd.argoproj.io/compare-options: IncludeMutationWebhook=true argocd.argoproj.io/sync-options: Replace=true
# argocd.argoproj.io/sync-options: Replace=true
{{- with ( index .Values $name "annotations" ) }} {{- with ( index .Values $name "annotations" ) }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
@ -42,7 +41,6 @@ spec:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ApplyOutOfSyncOnly=true - ApplyOutOfSyncOnly=true
- ServerSideApply=true
info: info:
- name: "Source:" - name: "Source:"
value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}" value: "https://git.zero-downtime.net/ZeroDownTime/KubeZero/src/branch/release/v1.31/charts/kubezero-{{ $name }}"

View File

@ -10,9 +10,9 @@ argo-cd:
params: params:
{{- if not $.Values.global.highAvailable }} {{- if not $.Values.global.highAvailable }}
# Reduce load on API server on single node control plane # Reduce load on API server on single node control plane
controller.status.processors: 4 controller.status.processors: 2
controller.operation.processors: 2 controller.operation.processors: 1
controller.kubectl.parallelism.limit: 2 controller.kubectl.parallelism.limit: 1
{{- else }} {{- else }}
controller.status.processors: 8 controller.status.processors: 8
controller.operation.processors: 4 controller.operation.processors: 4

View File

@ -1,36 +1,6 @@
{{- define "policy-values" }} {{- define "policy-values" }}
kyverno: kyverno:
{{- if eq .Values.global.platform "aws" }} test: true
global:
{{- include "kubezero-lib.control-plane" . | nindent 4 }}
{{- end }}
grafana:
enabled: {{ .Values.metrics.enabled }}
admissionController:
serviceMonitor:
enabled: {{ .Values.metrics.enabled }}
cleanupController:
serviceMonitor:
enabled: {{ .Values.metrics.enabled }}
backgroundController:
serviceMonitor:
enabled: {{ .Values.metrics.enabled }}
reportsController:
serviceMonitor:
enabled: {{ .Values.metrics.enabled }}
policies:
{{- if eq .Values.global.platform "aws" }}
aws:
enabled: true
region: {{ .global.aws.region }}
{{- end }}
{{- end }} {{- end }}
{{- define "policy-argo" }} {{- define "policy-argo" }}

View File

@ -30,6 +30,10 @@ addons:
aws-eks-asg-rolling-update-handler: aws-eks-asg-rolling-update-handler:
enabled: false enabled: false
policy:
enabled: false
targetRevision: 0.1.0
network: network:
enabled: true enabled: true
retain: true retain: true
@ -37,11 +41,6 @@ network:
cilium: cilium:
enabled: true enabled: true
policy:
enabled: false
namespace: kyverno
targetRevision: 0.1.0
cert-manager: cert-manager:
enabled: false enabled: false
namespace: cert-manager namespace: cert-manager
@ -123,7 +122,7 @@ logging:
argo: argo:
enabled: false enabled: false
namespace: argocd namespace: argocd
targetRevision: 0.4.1 targetRevision: 0.4.0
argo-cd: argo-cd:
enabled: false enabled: false
istio: istio:

View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata: