diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml index c7fe8750d..ccf781a83 100644 --- a/kubernetes/apps/kustomization.yaml +++ b/kubernetes/apps/kustomization.yaml @@ -9,6 +9,7 @@ resources: - ./default - ./flux-system - ./kube-system + - ./kyverno - ./monitoring - ./ngnode - ./openebs-system diff --git a/kubernetes/apps/kyverno/kustomization.yaml b/kubernetes/apps/kyverno/kustomization.yaml new file mode 100644 index 000000000..d44d0378f --- /dev/null +++ b/kubernetes/apps/kyverno/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Pre Flux-Kustomizations + - ./namespace.yaml + # Flux-Kustomizations + - ./kyverno/ks.yaml diff --git a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml new file mode 100644 index 000000000..2c70a287d --- /dev/null +++ b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml @@ -0,0 +1,80 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app kyverno +spec: + interval: 30m + chart: + spec: + chart: kyverno + version: 3.2.7 + sourceRef: + kind: HelmRepository + name: kyverno + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + crds: + install: true + grafana: + enabled: true + admissionController: + replicas: 3 + rbac: + clusterRole: + extraResources: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - update + - delete + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: *app + app.kubernetes.io/component: admission-controller + serviceMonitor: + enabled: true + backgroundController: + rbac: + clusterRole: + extraResources: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - update + - patch + - delete + - get + - list + resources: + requests: + cpu: 100m + limits: + memory: 1Gi + serviceMonitor: + enabled: true + cleanupController: + serviceMonitor: + enabled: true + reportsController: + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml b/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/kyverno/kyverno/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kyverno/kyverno/ks.yaml b/kubernetes/apps/kyverno/kyverno/ks.yaml new file mode 100644 index 000000000..839ff4886 --- /dev/null +++ b/kubernetes/apps/kyverno/kyverno/ks.yaml @@ -0,0 +1,42 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kyverno + namespace: flux-system +spec: + targetNamespace: kyverno + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kyverno/kyverno/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kyverno-policies + namespace: flux-system +spec: + targetNamespace: kyverno + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: kyverno + path: ./kubernetes/apps/kyverno/kyverno/policies + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml new file mode 100644 index 000000000..3f9e877cc --- /dev/null +++ b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./volsync-movers.yaml diff --git a/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml b/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml new file mode 100644 index 000000000..146f3c832 --- /dev/null +++ b/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml @@ -0,0 +1,50 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kyverno.io/clusterpolicy_v1.json +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: volsync-movers + annotations: + policies.kyverno.io/title: Set custom config on the Volsync mover Jobs + policies.kyverno.io/description: | + This policy sets custom configuration on the Volsync mover Jobs. + policies.kyverno.io/subject: Pod +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: set-volsync-movers-custom-config + match: + any: + - resources: + kinds: ["batch/v1/Job"] + namespaces: ["*"] + selector: + matchLabels: + app.kubernetes.io/created-by: volsync + mutate: + patchStrategicMerge: + spec: + podReplacementPolicy: Failed + podFailurePolicy: + rules: + - action: FailJob + onExitCodes: + containerName: restic + operator: In + values: [11] + template: + spec: + initContainers: + - name: jitter + image: docker.io/library/busybox:latest + command: ['sh', '-c', 'sleep $(shuf -i 0-60 -n 1)'] + containers: + - name: restic + volumeMounts: + - name: repository + mountPath: /repository + volumes: + - name: repository + nfs: + server: 192.168.9.10 + path: /mnt/vol2/apps/minio/volsync diff --git a/kubernetes/apps/kyverno/namespace.yaml b/kubernetes/apps/kyverno/namespace.yaml new file mode 100644 index 000000000..70187e557 --- /dev/null +++ b/kubernetes/apps/kyverno/namespace.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled + volsync.backube/privileged-movers: "true" +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Provider +metadata: + name: alert-manager + namespace: kyverno +spec: + type: alertmanager + address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Alert +metadata: + name: alert-manager + namespace: kyverno +spec: + providerRef: + name: alert-manager + eventSeverity: error + eventSources: + - kind: HelmRelease + name: "*" + exclusionList: + - "error.*lookup github\\.com" + - "error.*lookup raw\\.githubusercontent\\.com" + - "dial.*tcp.*timeout" + - "waiting.*socket" + suspend: false diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index e59dee14f..59aeee80e 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -22,6 +22,7 @@ resources: - ./ingress-nginx.yaml - ./intel.yaml - ./jetstack.yaml + - ./kyverno.yaml - ./metrics-server.yaml - ./node-feature-discovery.yaml - ./openebs.yaml diff --git a/kubernetes/flux/repositories/helm/kyverno.yaml b/kubernetes/flux/repositories/helm/kyverno.yaml new file mode 100644 index 000000000..b86efb0a7 --- /dev/null +++ b/kubernetes/flux/repositories/helm/kyverno.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kyverno + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/kyverno/charts