Skip to content
Snippets Groups Projects
Verified Commit 8a5ed52b authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

fix(kyverno): Remove kyverno from setup 

It's the 3rd update of kyverno and each time, things break in minor
version. This is no modi operandi for this setup. Things are supposed to
be stable and solid to work with. Kyverno is too unstable for this
use-case.

This time the installation of the pods failed due to wrong deployment
names. This is nothing we change or adjust.

Further the removal doesn't have any major impact on the platform, since
network policies are already deployed via gitops from the `shared/`
directory.

BREAKING CHANGE: Removing kyverno and related CRDs/APIs.
parent f0296954
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 217 deletions
bootstrap/kyverno/kustomization.yaml deleted 100644 → 0
+ 0
7
View file @ f0296954
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kyverno
resources:
- namespace.yaml
- repository.yaml
- release.yaml
bootstrap/kyverno/namespace.yaml deleted 100644 → 0
+ 0
7
View file @ f0296954
apiVersion: v1
kind: Namespace
metadata:
name: kyverno
labels:
name: kyverno
kyverno.shivering-isles.com/class: "system"
bootstrap/kyverno/release.yaml deleted 100644 → 0
+ 0
27
View file @ f0296954
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno-crds
namespace: kyverno
spec:
releaseName: kyverno-crds
chart:
spec:
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno
namespace: kyverno
version: v2.1.10
interval: 5m
values:
replicaCount: 2
podDisruptionBudget:
enabled: true
minAvailable: 1
serviceMonitor:
enabled: true
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
bootstrap/kyverno/repository.yaml deleted 100644 → 0
+ 0
8
View file @ f0296954
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: kyverno
namespace: kyverno
spec:
interval: 30m
url: https://kyverno.github.io/kyverno/
infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml deleted 100644 → 0
+ 0
32
View file @ f0296954
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: allow-from-same-namespace
spec:
rules:
- name: allow-from-same-namespace
match:
resources:
kinds:
- Namespace
selector:
matchExpressions:
- {key: kyverno.shivering-isles.com/class, operator: NotIn, values: [system]}
exclude:
resources:
namespaces:
- '*-system'
- default
- kube-public
- tigera-operator
generate:
kind: NetworkPolicy
name: allow-from-same-namespace-managed
namespace: "{{request.object.metadata.name}}"
data:
apiVersion: networking.k8s.io/v1
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
infrastructure/kyverno/deny-network-policies.yaml deleted 100644 → 0
+ 0
20
View file @ f0296954
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deny-netpol-changes
spec:
validationFailureAction: enforce
background: false
rules:
- name: deny-netpol-changes
match:
resources:
kinds:
- NetworkPolicy
name: "*-managed"
exclude:
clusterRoles:
- cluster-admin
validate:
message: "Changing managed network policies is not allowed."
deny: {}
infrastructure/kyverno/deny-system-namespaces.yaml deleted 100644 → 0
+ 0
21
View file @ f0296954
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deny-system-namespaces
spec:
validationFailureAction: enforce
background: false
rules:
- name: deny-system-namespaces
match:
resources:
kinds:
- Namespace
name: "*-system"
exclude:
clusterRoles:
- cluster-admin
- tigera-operator
validate:
message: "Creating *-system namespaces is not allowed."
deny: {}
infrastructure/kyverno/kustomization.yaml deleted 100644 → 0
+ 0
9
View file @ f0296954
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kyverno
resources:
- release.yaml
- deny-system-namespaces.yaml
- deny-network-policies.yaml
- allow-from-same-namespace-network-policies.yaml
- quotas.yaml
infrastructure/kyverno/quotas.yaml deleted 100644 → 0
+ 0
68
View file @ f0296954
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-ns-quota
annotations:
policies.kyverno.io/title: Add Quota
policies.kyverno.io/category: Multi-Tenancy
policies.kyverno.io/subject: ResourceQuota, LimitRange
policies.kyverno.io/description: >-
To better control the number of resources that can be created in a given
Namespace and provide default resource consumption limits for Pods,
ResourceQuota and LimitRange resources are recommended.
This policy will generate ResourceQuota and LimitRange resources when
a new Namespace is created.
spec:
validationFailureAction: enforce
rules:
- name: generate-resourcequota
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- '*-system'
- default
- kube-public
- kube-node-lease
generate:
kind: ResourceQuota
name: default-resourcequota
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
hard:
requests.cpu: '4'
requests.memory: '16Gi'
limits.cpu: '4'
limits.memory: '16Gi'
- name: generate-limitrange
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- '*-system'
- default
- kube-public
- kube-node-lease
generate:
kind: LimitRange
name: default-limitrange
synchronize: true
namespace: "{{request.object.metadata.name}}"
data:
spec:
limits:
- default:
cpu: 500m
memory: 1Gi
defaultRequest:
cpu: 200m
memory: 256Mi
type: Container
infrastructure/kyverno/release.yaml deleted 100644 → 0
+ 0
18
View file @ f0296954
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno-policies
namespace: kyverno
spec:
releaseName: kyverno-policies
chart:
spec:
chart: kyverno-policies
sourceRef:
kind: HelmRepository
name: kyverno
namespace: kyverno
version: v2.1.10
interval: 5m
dependsOn:
- name: kyverno-crds
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment