🔥 kyverno

kubernetes/apps/kustomization.yaml

@@ -8,7 +8,6 @@ resources:
   - ./default
   - ./flux-system
   - ./kube-system
-  - ./kyverno
   - ./monitoring
   - ./ngnode
   - ./networking

kubernetes/apps/kyverno/kustomization.yaml

@@ -1,9 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # Pre Flux-Kustomizations
-  - ./namespace.yaml
-  # Flux-Kustomizations
-  - ./kyverno/ks.yaml

kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml

@@ -1,83 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kyverno
-  namespace: kyverno
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: kyverno
-      version: 3.1.1
-      sourceRef:
-        kind: HelmRepository
-        name: kyverno
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    createNamespace: true
-    crds: CreateReplace
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    crds: CreateReplace
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    crds:
-      install: true
-    grafana:
-      enabled: true
-      annotations:
-        grafana_folder: System
-    backgroundController:
-      serviceMonitor:
-        enabled: true
-      rbac:
-        clusterRole:
-          extraResources:
-            - apiGroups:
-                - ""
-              resources:
-                - pods
-              verbs:
-                - create
-                - update
-                - patch
-                - delete
-                - get
-                - list
-    cleanupController:
-      serviceMonitor:
-        enabled: true
-    reportsController:
-      serviceMonitor:
-        enabled: true
-    admissionController:
-      replicas: 3
-      serviceMonitor:
-        enabled: true
-      rbac:
-        clusterRole:
-          extraResources:
-            - apiGroups:
-                - ""
-              resources:
-                - pods
-              verbs:
-                - create
-                - update
-                - delete
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              app.kubernetes.io/instance: kyverno
-              app.kubernetes.io/component: kyverno

kubernetes/apps/kyverno/kyverno/app/kustomization.yaml

@@ -1,18 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kyverno
-resources:
-  - ./helmrelease.yaml
-  - ./rbac.yaml
-configMapGenerator:
-  - name: kyverno-dashboard
-    files:
-      - kyverno-dashboard.json=https://raw.githubusercontent.com/kyverno/grafana-dashboard/master/grafana/dashboard.json
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled
-  labels:
-    grafana_dashboard: "true"

kubernetes/apps/kyverno/kyverno/app/rbac.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kyverno:admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-  - kind: ServiceAccount
-    name: kyverno
-    namespace: kyverno

kubernetes/apps/kyverno/kyverno/ks.yaml

@@ -1,39 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cluster-apps-kyverno
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/kyverno/kyverno/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cluster-apps-cluster-policies
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  dependsOn:
-    - name: cluster-apps-kyverno
-  path: ./kubernetes/apps/kyverno/kyverno/policies
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  wait: true
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml

@@ -1,6 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./remove-cpu-limits.yaml

kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml

@@ -1,44 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/clusterpolicy_v1.json
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: remove-cpu-limit
-  annotations:
-    policies.kyverno.io/title: Remove CPU limits
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod
-    policies.kyverno.io/description: >-
-      This policy removes CPU limits from all Pods.
-    pod-policies.kyverno.io/autogen-controllers: none
-spec:
-  generateExistingOnPolicyUpdate: true
-  rules:
-    - name: remove-containers-cpu-limits
-      match:
-        any:
-          - resources:
-              kinds: ["Pod"]
-      mutate:
-        foreach:
-          - list: "request.object.spec.containers"
-            patchesJson6902: |-
-              - path: /spec/containers/{{elementIndex}}/resources/limits/cpu
-                op: remove
-    - name: delete-initcontainers-cpu-limits
-      match:
-        any:
-          - resources:
-              kinds: ["Pod"]
-      preconditions:
-        all:
-          - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"
-            operator: GreaterThanOrEquals
-            value: 1
-      mutate:
-        foreach:
-          - list: "request.object.spec.initContainers"
-            patchesJson6902: |-
-              - path: /spec/initContainers/{{elementIndex}}/resources/limits/cpu
-                op: remove

kubernetes/apps/kyverno/namespace.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kyverno
-  labels:
-    kustomize.toolkit.fluxcd.io/prune: disabled