Whitelist the kyverno policy exceptions

Signed-off-by: Jirka Kremser <[email protected]>

.gitignore

@@ -0,0 +1,3 @@
+# binary
+/bin/kustomize
+

Makefile.custom.mk

@@ -1,24 +1,51 @@
 ##@ App
 
+OS ?= $(shell go env GOOS 2>/dev/null || echo linux)
+ARCH ?= $(shell go env GOARCH 2>/dev/null || echo amd64)
+KUSTOMIZE := ./bin/kustomize
+KUSTOMIZE_VERSION ?= v4.5.7
+
 .PHONY: all
 all: update-cpi-chart update-csi-chart update-kubevip-chart update-kubevip-cloud-provider-chart
+	@$(call say,Sync has been done ✓)
 
 .PHONY: update-cpi-chart
-update-cpi-chart: 
+update-cpi-chart:
+	@$(call say,CPI helm chart)
 	./hack/update-cpi-chart.sh
 	./hack/common-labels-injector.sh cloud-provider-for-vsphere
 
 .PHONY: update-csi-chart
-update-csi-chart: 
-	./hack/update-csi-chart.sh
+update-csi-chart: $(KUSTOMIZE)
+	@$(call say,CSI helm chart)
+	./hack/update-csi-chart.sh $(KUSTOMIZE)
 	./hack/common-labels-injector.sh vsphere-csi-driver
 
 .PHONY: update-kubevip-chart
-update-kubevip-chart: 
+update-kubevip-chart:
+	@$(call say,Kubevip helm chart)
 	./hack/update-kubevip-chart.sh
 	./hack/common-labels-injector.sh kube-vip
 
 .PHONY: update-kubevip-cloud-provider-chart
-update-kubevip-cloud-provider-chart: 
+update-kubevip-cloud-provider-chart:
+	@$(call say,Kubevip cloud provider helm chart)
 	./hack/update-kubevip-cloud-provider-chart.sh
 	./hack/common-labels-injector.sh kube-vip-cloud-provider
+
+$(KUSTOMIZE): ## Download kustomize locally if necessary.
+	@$(call say,Download Kustomize)
+	mkdir -p $(dir $@)
+	curl -sfL "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F$(KUSTOMIZE_VERSION)/kustomize_$(KUSTOMIZE_VERSION)_$(OS)_$(ARCH).tar.gz" | tar zxv -C $(dir $@)
+	chmod +x $@
+	@echo "kustomize downloaded"
+
+ifndef NO_COLOR
+YELLOW=\033[0;33m
+# no color
+NC=\033[0m
+endif
+
+define say
+echo "\n$(shell echo "$1 " | tr '[:rune:]' '=')\n $(YELLOW)$1$(NC)\n$(shell echo "$1 " | tr '[:rune:]' '=')"
+endef

config/cloud-provider-for-vsphere/overwrites/templates/pss-exceptions.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - cloud-provider-for-vsphere*
+{{- end }}

config/kube-vip-cloud-provider/overwrites/templates/pss-exceptions.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: kube-vip-cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - kube-vip-cloud-provider*
+{{- end }}

config/kube-vip/overwrites/templates/pss-exceptions.yaml

@@ -0,0 +1,65 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: kube-vip-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-capabilities
+    ruleNames:
+    - autogen-adding-capabilities
+    - adding-capabilities
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - autogen-require-drop-all
+    - require-drop-all
+    - autogen-adding-capabilities-strict
+    - adding-capabilities-strict
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - autogen-host-namespaces
+    - host-namespaces
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - autogen-privilege-escalation
+    - privilege-escalation
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - autogen-run-as-non-root
+    - run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - autogen-check-seccomp-strict
+    - check-seccomp-strict
+  - policyName: restrict-image-registries
+    ruleNames:
+    - autogen-validate-registries
+    - validate-registries
+  - policyName: restrict-volume-types
+    ruleNames:
+    - autogen-restricted-volumes
+    - restricted-volumes
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        # because kube-vip prefix is common also for kube-vip-cloud-provider, we need to distinguish bethween the two
+        selector:
+          matchLabels:
+          {{- include "kube-vip.selectorLabels" . | nindent 10 }}
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - kube-vip-*
+    - resources:
+        kinds:
+        - DaemonSet
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - kube-vip
+{{- end }}

config/vsphere-csi-driver/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 namespace: "{{ .Release.Namespace }}"
 
 patchesStrategicMerge:

config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml

@@ -0,0 +1,65 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: vsphere-csi-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-privileged-containers
+    ruleNames:
+    - autogen-privileged-containers
+    - privileged-containers
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: disallow-capabilities
+    ruleNames:
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - adding-capabilities-strict
+    - autogen-adding-capabilities-strict
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - Deployment
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - vsphere-csi*
+{{- end }}

hack/update-csi-chart.sh

@@ -4,6 +4,7 @@ set -euo pipefail
 
 base_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
 chart_dir="./helm/cloud-provider-vsphere/charts/vsphere-csi-driver"
+KUSTOMIZE="${1:-kustomize}"
 
 cd "$base_dir"
 
@@ -24,7 +25,7 @@ cp -R \
 
 # Customizations
 
-kubectl kustomize "./config/vsphere-csi-driver" -o "./config/vsphere-csi-driver/tmp"
+${KUSTOMIZE} build "./config/vsphere-csi-driver" -o "./config/vsphere-csi-driver/tmp"
 
 find \
   "./config/vsphere-csi-driver/tmp/" \

helm/cloud-provider-vsphere/charts/cloud-provider-for-vsphere/templates/pss-exceptions.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - DaemonSet
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - cloud-provider-for-vsphere*
+{{- end }}

helm/cloud-provider-vsphere/charts/kube-vip-cloud-provider/templates/pss-exceptions.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.global.kyvernoPolicyExceptions.enabled }}
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: kube-vip-cloud-provider-exceptions
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - autogen-host-path
+    - host-path
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        - ReplicaSet
+        - Pod
+        namespaces:
+        - {{ .Release.Namespace }}
+        names:
+        - kube-vip-cloud-provider*
+{{- end }}