feat: kyverno policies (#1462)

Co-authored-by: Sander Rodenhuis <[email protected]>
Co-authored-by: ferruhcihan <[email protected]>
Co-authored-by: Jehoszafat Zimnowoda <[email protected]>
Co-authored-by: Matthias Erll <[email protected]>
Co-authored-by: Matthias Erll <[email protected]>
Co-authored-by: Ani Argjiri <[email protected]>
Co-authored-by: jeho <[email protected]>
Co-authored-by: Jehoszafat Zimnowoda <[email protected]>

Author: 8 people

.cspell.json

@@ -84,6 +84,7 @@
     "ovh",
     "otel",
     "thanos",
+    "kyverno",
     "Paketo",
     "tekton",
     "cnpg",

.values/env/apps/falco.yaml

@@ -7,7 +7,6 @@ apps:
                     - macro: k8s_containers
                       condition: (
                           container.image.repository in (
-                            docker.io/openpolicyagent/gatekeeper,
                             docker.io/velero/velero,
                             docker.io/weaveworks/kured,
                             k8s.gcr.io/kube-state-metrics/kube-state-metrics,

.values/env/apps/gatekeeper.yaml

@@ -1 +1 @@
-version: 22
+version: 23

.values/env/settings.yaml

@@ -9,3 +9,5 @@ teamConfig:
             access:
                 - shell
                 - downloadCertificateAuthority
+            policies:
+                - edit policies

.values/env/teams.yaml

@@ -0,0 +1,96 @@
+teamConfig:
+    admin:
+        policies:
+            allowed-image-repositories:
+                action: Audit
+                customValues: []
+                severity: medium
+            disallow-capabilities:
+                action: Audit
+                customValues:
+                    - AUDIT_WRITE
+                    - CHOWN
+                    - DAC_OVERRIDE
+                    - FOWNER
+                    - FSETID
+                    - KILL
+                    - MKNOD
+                    - NET_BIND_SERVICE
+                    - SETFCAP
+                    - SETGID
+                    - SETPCAP
+                    - SETUID
+                    - SYS_CHROOT
+                    - '""'
+                severity: medium
+            disallow-capabilities-strict:
+                action: Audit
+                severity: medium
+            disallow-host-namespaces:
+                action: Audit
+                severity: medium
+            disallow-host-path:
+                action: Audit
+                severity: medium
+            disallow-host-ports:
+                action: Audit
+                severity: medium
+            disallow-host-process:
+                action: Audit
+                severity: medium
+            disallow-latest-tag:
+                action: Audit
+                severity: medium
+            disallow-privilege-escalation:
+                action: Audit
+                severity: medium
+            disallow-privileged-containers:
+                action: Audit
+                severity: medium
+            disallow-proc-mount:
+                action: Audit
+                severity: medium
+            disallow-selinux:
+                action: Audit
+                severity: medium
+            require-limits:
+                action: Audit
+                severity: medium
+            require-requests:
+                action: Audit
+                severity: medium
+            require-run-as-non-root-user:
+                action: Audit
+                severity: medium
+            require-run-as-nonroot:
+                action: Audit
+                severity: medium
+            require-labels:
+                action: Audit
+                severity: medium
+                customValues:
+                    - 'otomi.io/app'
+            restrict-apparmor-profiles:
+                action: Audit
+                severity: medium
+            restrict-seccomp:
+                action: Audit
+                severity: medium
+            restrict-seccomp-strict:
+                action: Audit
+                severity: medium
+            restrict-sysctls:
+                action: Audit
+                severity: medium
+            restrict-volume-types:
+                action: Audit
+                customValues:
+                    - configMap
+                    - csi
+                    - downwardAPI
+                    - emptyDir
+                    - ephemeral
+                    - persistentVolumeClaim
+                    - projected
+                    - secret
+                severity: medium

.values/env/teams/policies.admin.yaml

@@ -97,18 +97,6 @@ appsInfo:
     dependencies: None. Prometheus and Grafana are adviced
     about: Falco is an open source cloud native runtime security tool that makes it easy to consume kernel events, and enrich those events with information from Kubernetes. Falco has a rich set of security rules specifically built for Kubernetes and Linux. If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
     integration: Falco can be enabled in Otomi for runtime intrusion detection. Macros have been configured to exclude all known platform violations so platform admins are only notified when user workloads are not compliant to the security rules. Alerts are automatically send using Alertmanager and the Falco Dashboard is added to Grafana.
-  gatekeeper:
-    title: Gatekeeper
-    appVersion: 3.8.1
-    repo: https://github.com/open-policy-agent/gatekeeper
-    maintainers: Open Policy Agent
-    relatedLinks:
-      - https://otomi.io/docs/apps/gatekeeper
-      - https://open-policy-agent.github.io/gatekeeper/website/docs/
-    license: Apache 2.0
-    dependencies: None. Prometheus and Grafana are adviced.
-    about: Kubernetes allows decoupling policy decisions from the inner workings of the API Server by means of admission controller webhooks, which are executed whenever a resource is created, updated or deleted. Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent.
-    integration: OPA/Gatekeeper can be enabled for policy enforcement. The Otomi configuration repository holds a policies.yaml file with sane default policy presets. A selection of usable policies for Otomi are used by Conftest as well for static analysis of manifests generated by Otomi. YAML Resources are verified against defined .rego policy rules, using the defined preset parameters as their constraint value. When enabled, policies can be turned on/off in the Otomi web UI.
   gitea:
     title: Gitea Self-hosted GIT
     appVersion: 1.15.8
@@ -220,6 +208,16 @@ appsInfo:
     license: Apache 2.0
     about: Knative Serving builds on Kubernetes to support deploying and serving of applications and functions as serverless containers. Serving is easy to get started with and scales to support advanced scenarios.
     integration: Knative serving can be activated to deliver Container-as-a-Service (CaaS) functionality with a scale-to-zero option. It can be compared to Functions-as-a-service (FaaS) but is container oriented, and takes only one manifest to configure an auto scaling service based on a container image of choice. Otomi offers an on-the-fly Knative service deployment, making it very easy to deploy containerized services without the hassle of providing all the supporting resources involved with Helm charts. Istio Virtual Services are used to route traffic coming in for a public domain to its backing Knative Service, allowing it to set a custom domain.
+  kyverno:
+    title: Kyverno
+    appVersion: 1.11.3
+    repo: https://github.com/kyverno/kyverno
+    maintainers: Nirmata
+    relatedLinks:
+      - https://otomi.io/docs/apps/kyverno
+      - https://kyverno.io/docs/kyverno-policies/
+    license: Apache 2.0
+    about: Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language.
   kured:
     title: Kured
     appVersion: 1.13.1