mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Helm Chart - Network Policy Support (#2210)

Browse source 
* add network policy resource

* network policy

Co-authored-by: windowsrefund <mac>
This commit is contained in:
Adam Kosmin 2021-08-03 21:19:58 -04:00 committed by GitHub
parent 8af814c7af
commit 32d7a4e271
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 82 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/kyverno/Chart.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1
name: kyverno
version: v2.0-rc3
version: v2.0-rc4
appVersion: v1.4.2-rc3
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management

7
charts/kyverno/README.md
View file

@ -63,16 +63,16 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the kyverno chart and their default values.
| Parameter | Description | Default |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `affinity` | node/pod affinities | `nil` |
| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` |
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
| `customLabels` | Additional labels | `{}`
| `customLabels` | Additional labels | `{}` |
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers |
| `envVars` | Extra environment variables to pass to Kyverno | {} |
| `extraArgs` | list of extra arguments to give the binary | `[]` |
| `fullnameOverride` | override the expanded name of the chart | `nil` |
@ -88,6 +88,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `livenessProbe` | liveness probe configuration | `{}` |
| `nameOverride` | override the name of the chart | `nil` |
| `namespace` | namespace the chart deploy to | `nil` |
| networkPolicy.enabled | when true, use a NetworkPolicy to grant access to the webhook. Default is false. |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `podAnnotations` | annotations to add to each pod | `{}` |
| `podLabels` | additional labels to add to each pod | `{}` |

20
charts/kyverno/templates/networkpolicy.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
name: {{ template "kyverno.fullname" . }}
namespace: {{ template "kyverno.namespace" . }}
spec:
podSelector:
matchLabels:
app: kyverno
policyTypes:
- Ingress
ingress:
- from:
ports:
- protocol: TCP
port: 9443 # webhook access
{{- end }}

6
charts/kyverno/values.yaml
View file

@ -202,3 +202,9 @@ serviceMonitor:
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
createSelfSignedCert: false
# When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network
# policies in a default-deny setup.
networkPolicy:
enabled: false