Stack: Kyverno #38
Stack: Kyverno #38
Conversation
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
… well as include the exceptions needed to make other Ref implementation components work out of the box Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
…dit or Enforce mode Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
|
This super cool @kurktchiev 🚀 |
| name: crossplane-system-cnoe-operation | ||
| namespace: kyverno | ||
| spec: | ||
| exceptions: |
There was a problem hiding this comment.
Can we install crossplane different to make it more align with best practice policies?
There was a problem hiding this comment.
Am not sure what you mean here can you elaborate
There was a problem hiding this comment.
This adds exceptions to allow crossplane to work, is there some changes we can do the crossplane installation here to not need these many exceptions?
There was a problem hiding this comment.
I could, but since Stacks have no conditionals, if the exceptions are installed without Kyverno, the installation will fail as k8s won't know what object that is. Let me know.
There was a problem hiding this comment.
@nabuskey ^^ let me know if you have any thoughts
There was a problem hiding this comment.
I don't see a path forward for this without native conditionals and parameter sharing in packages. Best we can do is to make changes to the Crossplane stack but it's outside scope of this PR. This kind of things is exactly why we need a way to support templating or layering somehow. I don't think we can expect people to wrap everything in a helm chart.
|
@kurktchiev It would be great to have you demo this in the next CNOE community meeting next week Oct 1st, https://docs.google.com/document/d/1Ir5EV8VFbXVW3O1N1X8cu8eTwcOZcPvrBqEdw1SY03I/edit |
kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
Signed-off-by: Boris 'B' Kurktchiev <[email protected]>
This stack will install Kyverno for policy control and enforcement.
Optionally, a user can install the Kyverno PSS implementation for
restrictedinAuditmode. Furthermore, the user can instead enable theEnforcemode of PSS along with the necessary exceptions to allow for properref-implementationfunctioning.