From 8a5ed52b74d6c19162ae4c43251fa8910cd93c88 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 3 Feb 2022 20:09:08 +0100
Subject: [PATCH] fix(kyverno): Remove kyverno from setup

It's the 3rd update of kyverno and each time, things break in minor
version. This is no modi operandi for this setup. Things are supposed to
be stable and solid to work with. Kyverno is too unstable for this
use-case.

This time the installation of the pods failed due to wrong deployment
names. This is nothing we change or adjust.

Further the removal doesn't have any major impact on the platform, since
network policies are already deployed via gitops from the `shared/`
directory.

BREAKING CHANGE: Removing kyverno and related CRDs/APIs.
---
 bootstrap/kyverno/kustomization.yaml          |  7 --
 bootstrap/kyverno/namespace.yaml              |  7 --
 bootstrap/kyverno/release.yaml                | 27 --------
 bootstrap/kyverno/repository.yaml             |  8 ---
 ...-from-same-namespace-network-policies.yaml | 32 ---------
 .../kyverno/deny-network-policies.yaml        | 20 ------
 .../kyverno/deny-system-namespaces.yaml       | 21 ------
 infrastructure/kyverno/kustomization.yaml     |  9 ---
 infrastructure/kyverno/quotas.yaml            | 68 -------------------
 infrastructure/kyverno/release.yaml           | 18 -----
 10 files changed, 217 deletions(-)
 delete mode 100644 bootstrap/kyverno/kustomization.yaml
 delete mode 100644 bootstrap/kyverno/namespace.yaml
 delete mode 100644 bootstrap/kyverno/release.yaml
 delete mode 100644 bootstrap/kyverno/repository.yaml
 delete mode 100644 infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
 delete mode 100644 infrastructure/kyverno/deny-network-policies.yaml
 delete mode 100644 infrastructure/kyverno/deny-system-namespaces.yaml
 delete mode 100644 infrastructure/kyverno/kustomization.yaml
 delete mode 100644 infrastructure/kyverno/quotas.yaml
 delete mode 100644 infrastructure/kyverno/release.yaml

diff --git a/bootstrap/kyverno/kustomization.yaml b/bootstrap/kyverno/kustomization.yaml
deleted file mode 100644
index 2f4dcc1d2..000000000
--- a/bootstrap/kyverno/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kyverno
-resources:
-  - namespace.yaml
-  - repository.yaml
-  - release.yaml
diff --git a/bootstrap/kyverno/namespace.yaml b/bootstrap/kyverno/namespace.yaml
deleted file mode 100644
index 3c428410e..000000000
--- a/bootstrap/kyverno/namespace.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kyverno
-  labels:
-    name: kyverno
-    kyverno.shivering-isles.com/class: "system"
diff --git a/bootstrap/kyverno/release.yaml b/bootstrap/kyverno/release.yaml
deleted file mode 100644
index c1add280b..000000000
--- a/bootstrap/kyverno/release.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kyverno-crds
-  namespace: kyverno
-spec:
-  releaseName: kyverno-crds
-  chart:
-    spec:
-      chart: kyverno
-      sourceRef:
-        kind: HelmRepository
-        name: kyverno
-        namespace: kyverno
-      version: v2.1.10
-  interval: 5m
-  values:
-    replicaCount: 2
-    podDisruptionBudget:
-      enabled: true
-      minAvailable: 1
-    serviceMonitor:
-      enabled: true
-  install:
-    crds: CreateReplace
-  upgrade:
-    crds: CreateReplace
diff --git a/bootstrap/kyverno/repository.yaml b/bootstrap/kyverno/repository.yaml
deleted file mode 100644
index 46776215f..000000000
--- a/bootstrap/kyverno/repository.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
-metadata:
-  name: kyverno
-  namespace: kyverno
-spec:
-  interval: 30m
-  url: https://kyverno.github.io/kyverno/
diff --git a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml b/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
deleted file mode 100644
index 7ad69a130..000000000
--- a/infrastructure/kyverno/allow-from-same-namespace-network-policies.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: allow-from-same-namespace
-spec:
-  rules:
-  - name: allow-from-same-namespace
-    match:
-      resources:
-        kinds:
-        - Namespace
-        selector:
-          matchExpressions:
-            - {key: kyverno.shivering-isles.com/class, operator: NotIn, values: [system]}
-    exclude:
-      resources:
-        namespaces:
-        - '*-system'
-        - default
-        - kube-public
-        - tigera-operator
-    generate:
-      kind: NetworkPolicy
-      name: allow-from-same-namespace-managed
-      namespace: "{{request.object.metadata.name}}"
-      data:
-        apiVersion: networking.k8s.io/v1
-        spec:
-          podSelector: {}
-          ingress:
-          - from:
-            - podSelector: {}
diff --git a/infrastructure/kyverno/deny-network-policies.yaml b/infrastructure/kyverno/deny-network-policies.yaml
deleted file mode 100644
index d291ebcd8..000000000
--- a/infrastructure/kyverno/deny-network-policies.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: deny-netpol-changes
-spec:
-  validationFailureAction: enforce
-  background: false
-  rules:
-  - name: deny-netpol-changes
-    match:
-      resources:
-        kinds:
-        - NetworkPolicy
-        name: "*-managed"
-    exclude:
-      clusterRoles:
-      - cluster-admin
-    validate:
-      message: "Changing managed network policies is not allowed."
-      deny: {}
diff --git a/infrastructure/kyverno/deny-system-namespaces.yaml b/infrastructure/kyverno/deny-system-namespaces.yaml
deleted file mode 100644
index cda26c8a7..000000000
--- a/infrastructure/kyverno/deny-system-namespaces.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: deny-system-namespaces
-spec:
-  validationFailureAction: enforce
-  background: false
-  rules:
-  - name: deny-system-namespaces
-    match:
-      resources:
-        kinds:
-        - Namespace
-        name: "*-system"
-    exclude:
-      clusterRoles:
-      - cluster-admin
-      - tigera-operator
-    validate:
-      message: "Creating *-system namespaces is not allowed."
-      deny: {}
diff --git a/infrastructure/kyverno/kustomization.yaml b/infrastructure/kyverno/kustomization.yaml
deleted file mode 100644
index 2e0b4de71..000000000
--- a/infrastructure/kyverno/kustomization.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kyverno
-resources:
-  - release.yaml
-  - deny-system-namespaces.yaml
-  - deny-network-policies.yaml
-  - allow-from-same-namespace-network-policies.yaml
-  - quotas.yaml
diff --git a/infrastructure/kyverno/quotas.yaml b/infrastructure/kyverno/quotas.yaml
deleted file mode 100644
index 56049ecac..000000000
--- a/infrastructure/kyverno/quotas.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: add-ns-quota
-  annotations:
-    policies.kyverno.io/title: Add Quota
-    policies.kyverno.io/category: Multi-Tenancy
-    policies.kyverno.io/subject: ResourceQuota, LimitRange
-    policies.kyverno.io/description: >-
-      To better control the number of resources that can be created in a given
-      Namespace and provide default resource consumption limits for Pods,
-      ResourceQuota and LimitRange resources are recommended.
-      This policy will generate ResourceQuota and LimitRange resources when
-      a new Namespace is created.
-spec:
-  validationFailureAction: enforce
-  rules:
-  - name: generate-resourcequota
-    match:
-      resources:
-        kinds:
-        - Namespace
-    exclude:
-      resources:
-        namespaces:
-          - '*-system'
-          - default
-          - kube-public
-          - kube-node-lease
-    generate:
-      kind: ResourceQuota
-      name: default-resourcequota
-      synchronize: true
-      namespace: "{{request.object.metadata.name}}"
-      data:
-        spec:
-          hard:
-            requests.cpu: '4'
-            requests.memory: '16Gi'
-            limits.cpu: '4'
-            limits.memory: '16Gi'
-  - name: generate-limitrange
-    match:
-      resources:
-        kinds:
-        - Namespace
-    exclude:
-      resources:
-        namespaces:
-          - '*-system'
-          - default
-          - kube-public
-          - kube-node-lease
-    generate:
-      kind: LimitRange
-      name: default-limitrange
-      synchronize: true
-      namespace: "{{request.object.metadata.name}}"
-      data:
-        spec:
-          limits:
-          - default:
-              cpu: 500m
-              memory: 1Gi
-            defaultRequest:
-              cpu: 200m
-              memory: 256Mi
-            type: Container
diff --git a/infrastructure/kyverno/release.yaml b/infrastructure/kyverno/release.yaml
deleted file mode 100644
index 68308916f..000000000
--- a/infrastructure/kyverno/release.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kyverno-policies
-  namespace: kyverno
-spec:
-  releaseName: kyverno-policies
-  chart:
-    spec:
-      chart: kyverno-policies
-      sourceRef:
-        kind: HelmRepository
-        name: kyverno
-        namespace: kyverno
-      version: v2.1.10
-  interval: 5m
-  dependsOn:
-    - name: kyverno-crds
-- 
GitLab