From ae776d71ba4b484910fc7a8132784d78039f74ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Mon, 16 Feb 2026 15:59:33 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9E=95=EF=B8=8F=20Add=20a=20couple=20of=20ne?= =?UTF-8?q?w-style=20Kyverno=20policies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Eventually, we should rewrite all Kyverno policies to replace the old-style ones (ClusterPolicy) with the new ones and use CEL. --- k8s/kyverno-ingress-domain-name-4.yaml | 56 ++++++++++++++++++++++++++ k8s/kyverno-vap.yaml | 37 +++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 k8s/kyverno-ingress-domain-name-4.yaml create mode 100644 k8s/kyverno-vap.yaml diff --git a/k8s/kyverno-ingress-domain-name-4.yaml b/k8s/kyverno-ingress-domain-name-4.yaml new file mode 100644 index 00000000..7c281365 --- /dev/null +++ b/k8s/kyverno-ingress-domain-name-4.yaml @@ -0,0 +1,56 @@ +# This is a Kyverno policy to automatically generate an Ingress resource, +# similar to the other ones in this directory; but instead of using the +# "old-style" policies (ClusterPolicy with spec.rules.generate), it is +# using the new CR GeneratingPolicy and CEL. +apiVersion: policies.kyverno.io/v1 +kind: GeneratingPolicy +metadata: + name: generate-ingress-for-service +spec: + matchConstraints: + resourceRules: + - apiGroups: [''] + apiVersions: ['v1'] + operations: ['CREATE'] + resources: ['services'] + variables: + - name: host + expression: | + object.metadata.name + "." + object.metadata.namespace + ".example.com" + - name: ingress + expression: >- + [ + { + "kind": dyn("Ingress"), + "apiVersion": dyn("networking.k8s.io/v1"), + "metadata": dyn({ + "name": object.metadata.name, + "namespace": object.metadata.namespace, + }), + "spec": dyn({ + "rules": [ + { + "host": dyn(variables.host), + "http": dyn({ + "paths": [ + { + "path": dyn("/"), + "pathType": dyn("Prefix"), + "backend": dyn({ + "service": { + "name": dyn(object.metadata.name), + "port": dyn({ + "number": 80 + }) + } + }) + } + ] + }) + } + ] + }) + } + ] + generate: + - expression: generator.Apply(object.metadata.namespace, variables.ingress) diff --git a/k8s/kyverno-vap.yaml b/k8s/kyverno-vap.yaml new file mode 100644 index 00000000..64dd410b --- /dev/null +++ b/k8s/kyverno-vap.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: ensure-security-label +spec: + # What to do if an error happens when evaluating that policy? (Fail or Ignore) + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + scope: Namespaced # "Cluster", "Namespaced", or "*" + validations: + - expression: | + 'security' in object.metadata.labels + && + object.metadata.labels.security in [ "public", "private", "namespace" ] +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: ensure-security-label +spec: + policyName: ensure-security-label + # What to do when a policy doesn't validate: Deny, Warn, Audit. + # (Note: it doesn't make sense to put Deny and Warn together.) + validationActions: [ Deny ] + matchResources: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: [ kube-system, local-path-storage, kyverno ] +