feat: kyverno

kubernetes/apps/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
   - ./default
   - ./flux-system
   - ./kube-system
+  - ./kyverno
   - ./monitoring
   - ./ngnode
   - ./openebs-system

kubernetes/apps/kyverno/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Pre Flux-Kustomizations
+  - ./namespace.yaml
+  # Flux-Kustomizations
+  - ./kyverno/ks.yaml

kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml

@@ -0,0 +1,80 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app kyverno
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: kyverno
+      version: 3.2.7
+      sourceRef:
+        kind: HelmRepository
+        name: kyverno
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    crds:
+      install: true
+    grafana:
+      enabled: true
+    admissionController:
+      replicas: 3
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups:
+                - ""
+              resources:
+                - pods
+              verbs:
+                - create
+                - update
+                - delete
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/instance: *app
+              app.kubernetes.io/component: admission-controller
+      serviceMonitor:
+        enabled: true
+    backgroundController:
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups:
+                - ""
+              resources:
+                - pods
+              verbs:
+                - create
+                - update
+                - patch
+                - delete
+                - get
+                - list
+      resources:
+        requests:
+          cpu: 100m
+        limits:
+          memory: 1Gi
+      serviceMonitor:
+        enabled: true
+    cleanupController:
+      serviceMonitor:
+        enabled: true
+    reportsController:
+      serviceMonitor:
+        enabled: true

kubernetes/apps/kyverno/kyverno/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/apps/kyverno/kyverno/ks.yaml

@@ -0,0 +1,42 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kyverno
+  namespace: flux-system
+spec:
+  targetNamespace: kyverno
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/kyverno/kyverno/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kyverno-policies
+  namespace: flux-system
+spec:
+  targetNamespace: kyverno
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: kyverno
+  path: ./kubernetes/apps/kyverno/kyverno/policies
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  timeout: 5m

kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./volsync-movers.yaml

kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml

@@ -0,0 +1,50 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kyverno.io/clusterpolicy_v1.json
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: volsync-movers
+  annotations:
+    policies.kyverno.io/title: Set custom config on the Volsync mover Jobs
+    policies.kyverno.io/description: |
+      This policy sets custom configuration on the Volsync mover Jobs.
+    policies.kyverno.io/subject: Pod
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: set-volsync-movers-custom-config
+      match:
+        any:
+          - resources:
+              kinds: ["batch/v1/Job"]
+              namespaces: ["*"]
+              selector:
+                matchLabels:
+                  app.kubernetes.io/created-by: volsync
+      mutate:
+        patchStrategicMerge:
+          spec:
+            podReplacementPolicy: Failed
+            podFailurePolicy:
+              rules:
+                - action: FailJob
+                  onExitCodes:
+                    containerName: restic
+                    operator: In
+                    values: [11]
+            template:
+              spec:
+                initContainers:
+                  - name: jitter
+                    image: docker.io/library/busybox:latest
+                    command: ['sh', '-c', 'sleep $(shuf -i 0-60 -n 1)']
+                containers:
+                  - name: restic
+                    volumeMounts:
+                      - name: repository
+                        mountPath: /repository
+                volumes:
+                  - name: repository
+                    nfs:
+                      server: 192.168.9.10
+                      path: /mnt/vol2/apps/minio/volsync

kubernetes/apps/kyverno/namespace.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kyverno
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    volsync.backube/privileged-movers: "true"
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: alert-manager
+  namespace: kyverno
+spec:
+  type: alertmanager
+  address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: alert-manager
+  namespace: kyverno
+spec:
+  providerRef:
+    name: alert-manager
+  eventSeverity: error
+  eventSources:
+    - kind: HelmRelease
+      name: "*"
+  exclusionList:
+    - "error.*lookup github\\.com"
+    - "error.*lookup raw\\.githubusercontent\\.com"
+    - "dial.*tcp.*timeout"
+    - "waiting.*socket"
+  suspend: false

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -22,6 +22,7 @@ resources:
   - ./ingress-nginx.yaml
   - ./intel.yaml
   - ./jetstack.yaml
+  - ./kyverno.yaml
   - ./metrics-server.yaml
   - ./node-feature-discovery.yaml
   - ./openebs.yaml

kubernetes/flux/repositories/helm/kyverno.yaml

@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: kyverno
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 5m
+  url: oci://ghcr.io/kyverno/charts