ghndrx/homelab-gitops
1
0
Fork 0
mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
homelab-gitops/infrastructure/kyverno/kustomization.yaml
Greg Hendrickson 3752fd0386 feat(kyverno): add policy engine with security baseline 
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards
2026-02-09 18:02:21 +00:00

63 lines
1.6 KiB
YAML
Raw Permalink Blame History

# infrastructure/kyverno/kustomization.yaml
# Kyverno Policy Engine - GitOps-native Kubernetes policy enforcement
# CNCF Graduated project, integrates seamlessly with ArgoCD
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kyverno
resources:
- namespace.yaml
- policies/
# Kyverno deployment via Helm
helmCharts:
- name: kyverno
repo: https://kyverno.github.io/kyverno/
version: "3.3.4"
releaseName: kyverno
namespace: kyverno
valuesInline:
# Admission controller replicas for HA
admissionController:
replicas: 3
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
# Background controller for generate/mutate policies
backgroundController:
replicas: 2
resources:
limits:
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
# Reports controller for policy reports
reportsController:
replicas: 2
# Cleanup controller
cleanupController:
replicas: 2
# Enable policy exception support
features:
policyExceptions:
enabled: true
namespace: "kyverno"
# Webhooks config
config:
webhooks:
# Exclude system namespaces from validation
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- kube-public
- kube-node-lease
- kyverno
Reference in New Issue View Git Blame Copy Permalink