mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
Helm Chart - Network Policy Support (#2210)
* add network policy resource * network policy Co-authored-by: windowsrefund <mac>
This commit is contained in:
Adam Kosmin
GitHub
parent
8af814c7af
commit
32d7a4e271
4 changed files with 82 additions and 55 deletions
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
name: kyverno
|
||||
version: v2.0-rc3
|
||||
version: v2.0-rc4
|
||||
appVersion: v1.4.2-rc3
|
||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||
description: Kubernetes Native Policy Management
|
||||
|
|
|
|||
|
|
@ -62,60 +62,61 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
|
||||
The following table lists the configurable parameters of the kyverno chart and their default values.
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `affinity` | node/pod affinities | `nil` |
|
||||
| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` |
|
||||
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
|
||||
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
|
||||
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
|
||||
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
|
||||
| `customLabels` | Additional labels | `{}`
|
||||
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
|
||||
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers
|
||||
| `envVars` | Extra environment variables to pass to Kyverno | {} |
|
||||
| `extraArgs` | list of extra arguments to give the binary | `[]` |
|
||||
| `fullnameOverride` | override the expanded name of the chart | `nil` |
|
||||
| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` |
|
||||
| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` |
|
||||
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) |
|
||||
| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` |
|
||||
| `image.tag` | Image tag | `nil` |
|
||||
| `initImage.pullPolicy` | Init image pull policy | `nil` |
|
||||
| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` |
|
||||
| `initImage.tag` | Init image tag | `nil` |
|
||||
| `livenessProbe` | liveness probe configuration | `{}` |
|
||||
| `nameOverride` | override the name of the chart | `nil` |
|
||||
| `namespace` | namespace the chart deploy to | `nil` |
|
||||
| `nodeSelector` | node labels for pod assignment | `{}` |
|
||||
| `podAnnotations` | annotations to add to each pod | `{}` |
|
||||
| `podLabels` | additional labels to add to each pod | `{}` |
|
||||
| `podSecurityContext` | security context for the pod | `{}` |
|
||||
| `priorityClassName` | priorityClassName | `nil` |
|
||||
| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` |
|
||||
| `rbac.serviceAccount.create` | create a ServiceAccount | `true` |
|
||||
| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` |
|
||||
| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` |
|
||||
| `readinessProbe` | readiness probe configuration | `{}` |
|
||||
| `replicaCount` | desired number of pods | `1` |
|
||||
| `resources` | pod resource requests and limits | `{}` |
|
||||
| `service.annotations` | annotations to add to the service | `{}` |
|
||||
| `service.nodePort` | node port | `nil` |
|
||||
| `service.port` | port for the service | `443` |
|
||||
| `service.type` | type of service | `ClusterIP` |
|
||||
| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` |
|
||||
| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` |
|
||||
| `serviceMonitor.interval` | interval to scrape metrics | `30s` |
|
||||
| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` |
|
||||
| `serviceMonitor.secure` | is TLS required for endpoint | `false` |
|
||||
| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` |
|
||||
| `tolerations` | list of node taints to tolerate | `[]` |
|
||||
| `securityContext` | security context configuration | `{}` |
|
||||
| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` |
|
||||
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
|
||||
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
|
||||
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
|
||||
| Parameter | Description | Default |
|
||||
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `affinity` | node/pod affinities | `nil` |
|
||||
| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` |
|
||||
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
|
||||
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
|
||||
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
|
||||
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
|
||||
| `customLabels` | Additional labels | `{}` |
|
||||
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
|
||||
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers |
|
||||
| `envVars` | Extra environment variables to pass to Kyverno | {} |
|
||||
| `extraArgs` | list of extra arguments to give the binary | `[]` |
|
||||
| `fullnameOverride` | override the expanded name of the chart | `nil` |
|
||||
| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` |
|
||||
| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` |
|
||||
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) |
|
||||
| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` |
|
||||
| `image.tag` | Image tag | `nil` |
|
||||
| `initImage.pullPolicy` | Init image pull policy | `nil` |
|
||||
| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` |
|
||||
| `initImage.tag` | Init image tag | `nil` |
|
||||
| `livenessProbe` | liveness probe configuration | `{}` |
|
||||
| `nameOverride` | override the name of the chart | `nil` |
|
||||
| `namespace` | namespace the chart deploy to | `nil` |
|
||||
| networkPolicy.enabled | when true, use a NetworkPolicy to grant access to the webhook. Default is false. |
|
||||
| `nodeSelector` | node labels for pod assignment | `{}` |
|
||||
| `podAnnotations` | annotations to add to each pod | `{}` |
|
||||
| `podLabels` | additional labels to add to each pod | `{}` |
|
||||
| `podSecurityContext` | security context for the pod | `{}` |
|
||||
| `priorityClassName` | priorityClassName | `nil` |
|
||||
| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` |
|
||||
| `rbac.serviceAccount.create` | create a ServiceAccount | `true` |
|
||||
| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` |
|
||||
| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` |
|
||||
| `readinessProbe` | readiness probe configuration | `{}` |
|
||||
| `replicaCount` | desired number of pods | `1` |
|
||||
| `resources` | pod resource requests and limits | `{}` |
|
||||
| `service.annotations` | annotations to add to the service | `{}` |
|
||||
| `service.nodePort` | node port | `nil` |
|
||||
| `service.port` | port for the service | `443` |
|
||||
| `service.type` | type of service | `ClusterIP` |
|
||||
| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` |
|
||||
| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` |
|
||||
| `serviceMonitor.interval` | interval to scrape metrics | `30s` |
|
||||
| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` |
|
||||
| `serviceMonitor.secure` | is TLS required for endpoint | `false` |
|
||||
| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` |
|
||||
| `tolerations` | list of node taints to tolerate | `[]` |
|
||||
| `securityContext` | security context configuration | `{}` |
|
||||
| `podSecurityStandard` | set desired pod security level `privileged`, `baseline`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `baseline` |
|
||||
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
|
||||
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
|
||||
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
|
||||
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
|
||||
|
||||
|
|
|
|||
20
charts/kyverno/templates/networkpolicy.yaml
Normal file
20
charts/kyverno/templates/networkpolicy.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.networkPolicy.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
labels: {{ include "kyverno.labels" . | nindent 4 }}
|
||||
app: kyverno
|
||||
name: {{ template "kyverno.fullname" . }}
|
||||
namespace: {{ template "kyverno.namespace" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: kyverno
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9443 # webhook access
|
||||
{{- end }}
|
||||
|
|
@ -202,3 +202,9 @@ serviceMonitor:
|
|||
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
|
||||
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
|
||||
createSelfSignedCert: false
|
||||
|
||||
# When true, use a NetworkPolicy to allow ingress to the webhook
|
||||
# This is useful on clusters using Calico and/or native k8s network
|
||||
# policies in a default-deny setup.
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue