diff --git a/bootstrap/kyverno/kustomization.yaml b/bootstrap/kyverno/kustomization.yaml
deleted file mode 100644
index 2f4dcc1d250af0e3c5b43c42e3fb7eede901838a..0000000000000000000000000000000000000000
--- a/bootstrap/kyverno/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kyverno
-resources:
- - namespace.yaml
- - repository.yaml
- - release.yaml
diff --git a/bootstrap/kyverno/namespace.yaml b/bootstrap/kyverno/namespace.yaml
deleted file mode 100644
index 3c428410e3a265b065c32d1cc572a2d618ef4d3c..0000000000000000000000000000000000000000
--- a/bootstrap/kyverno/namespace.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: kyverno
- labels:
- name: kyverno
- kyverno.shivering-isles.com/class: "system"
diff --git a/bootstrap/kyverno/release.yaml b/bootstrap/kyverno/release.yaml
deleted file mode 100644
index c1add280be53aa8952f99b0c3b14d02b2e0e3be2..0000000000000000000000000000000000000000
--- a/bootstrap/kyverno/release.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
- name: kyverno-crds
- namespace: kyverno
-spec:
- releaseName: kyverno-crds
- chart:
- spec:
- chart: kyverno
- sourceRef:
- kind: HelmRepository
- name: kyverno
- namespace: kyverno
- version: v2.1.10
- interval: 5m
- values:
- replicaCount: 2
- podDisruptionBudget:
- enabled: true
- minAvailable: 1
- serviceMonitor:
- enabled: true
- install:
- crds: CreateReplace
- upgrade:
- crds: CreateReplace
diff --git a/bootstrap/kyverno/repository.yaml b/bootstrap/kyverno/repository.yaml
deleted file mode 100644
index 46776215fb8dfaf7fd5ed5cef3f865a9fe69a819..0000000000000000000000000000000000000000
--- a/bootstrap/kyverno/repository.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
-metadata:
- name: kyverno
- namespace: kyverno
-spec:
- interval: 30m
- url: https://kyverno.github.io/kyverno/
diff --git a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
deleted file mode 100644
index 7ad69a13011824fdb1f82e285e5cf73b5ab532df..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
- name: allow-from-same-namespace
-spec:
- rules:
- - name: allow-from-same-namespace
- match:
- resources:
- kinds:
- - Namespace
- selector:
- matchExpressions:
- - {key: kyverno.shivering-isles.com/class, operator: NotIn, values: [system]}
- exclude:
- resources:
- namespaces:
- - '*-system'
- - default
- - kube-public
- - tigera-operator
- generate:
- kind: NetworkPolicy
- name: allow-from-same-namespace-managed
- namespace: "{{request.object.metadata.name}}"
- data:
- apiVersion: networking.k8s.io/v1
- spec:
- podSelector: {}
- ingress:
- - from:
- - podSelector: {}
diff --git a/infrastructure/kyverno/deny-network-policies.yaml b/infrastructure/kyverno/deny-network-policies.yaml
deleted file mode 100644
index d291ebcd8b2b061da87e19628d69fc973c282872..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/deny-network-policies.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
- name: deny-netpol-changes
-spec:
- validationFailureAction: enforce
- background: false
- rules:
- - name: deny-netpol-changes
- match:
- resources:
- kinds:
- - NetworkPolicy
- name: "*-managed"
- exclude:
- clusterRoles:
- - cluster-admin
- validate:
- message: "Changing managed network policies is not allowed."
- deny: {}
diff --git a/infrastructure/kyverno/deny-system-namespaces.yaml b/infrastructure/kyverno/deny-system-namespaces.yaml
deleted file mode 100644
index cda26c8a7ae241e6ff132c816326432862cf8027..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/deny-system-namespaces.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
- name: deny-system-namespaces
-spec:
- validationFailureAction: enforce
- background: false
- rules:
- - name: deny-system-namespaces
- match:
- resources:
- kinds:
- - Namespace
- name: "*-system"
- exclude:
- clusterRoles:
- - cluster-admin
- - tigera-operator
- validate:
- message: "Creating *-system namespaces is not allowed."
- deny: {}
diff --git a/infrastructure/kyverno/kustomization.yaml b/infrastructure/kyverno/kustomization.yaml
deleted file mode 100644
index 2e0b4de71a5426676b7e4bd6f7dde279dc2de0a3..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/kustomization.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kyverno
-resources:
- - release.yaml
- - deny-system-namespaces.yaml
- - deny-network-policies.yaml
- - allow-from-same-namespace-network-policies.yaml
- - quotas.yaml
diff --git a/infrastructure/kyverno/quotas.yaml b/infrastructure/kyverno/quotas.yaml
deleted file mode 100644
index 56049ecac7cb4753a9e964b45d8f2193ea55bb16..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/quotas.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
- name: add-ns-quota
- annotations:
- policies.kyverno.io/title: Add Quota
- policies.kyverno.io/category: Multi-Tenancy
- policies.kyverno.io/subject: ResourceQuota, LimitRange
- policies.kyverno.io/description: >-
- To better control the number of resources that can be created in a given
- Namespace and provide default resource consumption limits for Pods,
- ResourceQuota and LimitRange resources are recommended.
- This policy will generate ResourceQuota and LimitRange resources when
- a new Namespace is created.
-spec:
- validationFailureAction: enforce
- rules:
- - name: generate-resourcequota
- match:
- resources:
- kinds:
- - Namespace
- exclude:
- resources:
- namespaces:
- - '*-system'
- - default
- - kube-public
- - kube-node-lease
- generate:
- kind: ResourceQuota
- name: default-resourcequota
- synchronize: true
- namespace: "{{request.object.metadata.name}}"
- data:
- spec:
- hard:
- requests.cpu: '4'
- requests.memory: '16Gi'
- limits.cpu: '4'
- limits.memory: '16Gi'
- - name: generate-limitrange
- match:
- resources:
- kinds:
- - Namespace
- exclude:
- resources:
- namespaces:
- - '*-system'
- - default
- - kube-public
- - kube-node-lease
- generate:
- kind: LimitRange
- name: default-limitrange
- synchronize: true
- namespace: "{{request.object.metadata.name}}"
- data:
- spec:
- limits:
- - default:
- cpu: 500m
- memory: 1Gi
- defaultRequest:
- cpu: 200m
- memory: 256Mi
- type: Container
diff --git a/infrastructure/kyverno/release.yaml b/infrastructure/kyverno/release.yaml
deleted file mode 100644
index 68308916f1bcc528d4f54d812d1c84cd1e9228de..0000000000000000000000000000000000000000
--- a/infrastructure/kyverno/release.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
- name: kyverno-policies
- namespace: kyverno
-spec:
- releaseName: kyverno-policies
- chart:
- spec:
- chart: kyverno-policies
- sourceRef:
- kind: HelmRepository
- name: kyverno
- namespace: kyverno
- version: v2.1.10
- interval: 5m
- dependsOn:
- - name: kyverno-crds