Skip to content

Commit

Permalink
Merge pull request #4 from debenstack/dev
Browse files Browse the repository at this point in the history 
implemented kyverno
  • Loading branch information
@bensoer
bensoer authored Apr 17, 2024
2 parents d78ff73 + 6e27ba1 commit 8e890ff
Show file tree
Hide file tree
Showing 19 changed files with 46,132 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/terraform-linting.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ jobs:
with:
terraform_version: ${{ env.TF_VERSION }}
terraform_wrapper: true
- name: Terraform Init
id: init
run: terraform init -lock=false -input=false
- name: Terraform Validate
id: validate
run: terraform validate
Expand Down
14 changes: 14 additions & 0 deletions modules/k8config/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,17 @@ module "prometheus" {
time_sleep.wait_60_seconds
]
}

module "kyverno" {
source = "./modules/kyverno"

providers = {
kubectl = kubectl
helm = helm
}

depends_on = [
module.prometheus,
time_sleep.wait_60_seconds
]
}
6 changes: 6 additions & 0 deletions modules/k8config/modules/crds/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,9 @@ resource "kubectl_manifest" "prometheus-crds" {
server_side_apply = true
}

/* Kyverno */
resource "kubectl_manifest" "kyverno-crds" {
for_each = fileset("${abspath(path.module)}/res/kyverno-1.11.4", "*.yaml")
yaml_body = file("${abspath(path.module)}/res/kyverno-1.11.4/${each.value}")
server_side_apply = true
}
330 changes: 330 additions & 0 deletions modules/k8config/modules/crds/res/kyverno-1.11.4/kyverno.io_admissionreports.yaml
View file

Large diffs are not rendered by default.

297 changes: 297 additions & 0 deletions modules/k8config/modules/crds/res/kyverno-1.11.4/kyverno.io_backgroundscanreports.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,297 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: backgroundscanreports.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: BackgroundScanReport
listKind: BackgroundScanReportList
plural: backgroundscanreports
shortNames:
- bgscanr
singular: backgroundscanreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.ownerReferences[0].apiVersion
name: ApiVersion
type: string
- jsonPath: .metadata.ownerReferences[0].kind
name: Kind
type: string
- jsonPath: .metadata.ownerReferences[0].name
name: Subject
type: string
- jsonPath: .spec.summary.pass
name: Pass
type: integer
- jsonPath: .spec.summary.fail
name: Fail
type: integer
- jsonPath: .spec.summary.warn
name: Warn
type: integer
- jsonPath: .spec.summary.error
name: Error
type: integer
- jsonPath: .spec.summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
priority: 1
type: string
name: v1alpha2
schema:
openAPIV3Schema:
description: BackgroundScanReport is the Schema for the BackgroundScanReports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: SubjectSelector is an optional label selector for
checked Kubernetes resources. For example, a policy result
may apply to all pods that match a label. Either a Subject
or a SubjectSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: "ObjectReference contains enough information
to let you inspect or modify the referred object. --- New
uses of this type are discouraged because of difficulty
describing its usage when embedded in APIs. 1. Ignored fields.
\ It includes many fields which are not generally honored.
\ For instance, ResourceVersion and FieldPath are both very
rarely valid in actual usage. 2. Invalid usage help. It
is impossible to add specific help for individual usage.
\ In most embedded usages, there are particular restrictions
like, \"must refer only to types A and B\" or \"UID not
honored\" or \"name must be restricted\". Those cannot be
well described when embedded. 3. Inconsistent validation.
\ Because the usages are different, the validation rules
are different by usage, which makes it hard for users to
predict what will happen. 4. The fields are both imprecise
and overly precise. Kind is not a precise mapping to a
URL. This can produce ambiguity during interpretation and
require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this
type will affect numerous schemas. Don't make new APIs
embed an underspecified API type they do not control. \n
Instead of using this type, create a locally provided and
used type that is well-focused on your reference. For example,
ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
."
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container
within a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that
triggered the event) or if no container name is specified
"spec.containers[2]" (container with index 2 in this
pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design
is not final and this field is subject to change in
the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: Non-negative fractions of a second at nanosecond
resolution. Negative second values with fractions must
still have non-negative nanos values that count forward
in time. Must be from 0 to 999,999,999 inclusive. This
field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
to 9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
Loading

0 comments on commit 8e890ff

Please sign in to comment.