feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards
2026-02-10 06:44:57 +00:00 · 2026-02-09 18:02:21 +00:00
parent 124a29a0a9
commit 3752fd0386
10 changed files with 445 additions and 0 deletions
--- a/infrastructure/kyverno/kustomization.yaml
+++ b/infrastructure/kyverno/kustomization.yaml
@@ -0,0 +1,62 @@
+# infrastructure/kyverno/kustomization.yaml
+# Kyverno Policy Engine - GitOps-native Kubernetes policy enforcement
+# CNCF Graduated project, integrates seamlessly with ArgoCD
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kyverno
+
+resources:
+  - namespace.yaml
+  - policies/
+
+# Kyverno deployment via Helm
+helmCharts:
+  - name: kyverno
+    repo: https://kyverno.github.io/kyverno/
+    version: "3.3.4"
+    releaseName: kyverno
+    namespace: kyverno
+    valuesInline:
+      # Admission controller replicas for HA
+      admissionController:
+        replicas: 3
+        resources:
+          limits:
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 256Mi
+      # Background controller for generate/mutate policies
+      backgroundController:
+        replicas: 2
+        resources:
+          limits:
+            memory: 256Mi
+          requests:
+            cpu: 50m
+            memory: 128Mi
+      # Reports controller for policy reports
+      reportsController:
+        replicas: 2
+      # Cleanup controller
+      cleanupController:
+        replicas: 2
+      # Enable policy exception support
+      features:
+        policyExceptions:
+          enabled: true
+          namespace: "kyverno"
+      # Webhooks config
+      config:
+        webhooks:
+          # Exclude system namespaces from validation
+          - namespaceSelector:
+              matchExpressions:
+                - key: kubernetes.io/metadata.name
+                  operator: NotIn
+                  values:
+                    - kube-system
+                    - kube-public
+                    - kube-node-lease
+                    - kyverno