mirror of
https://github.com/ghndrx/homelab-gitops.git
synced 2026-02-10 06:44:57 +00:00
3752fd0386
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards
13 lines
356 B
YAML
13 lines
356 B
YAML
# infrastructure/kyverno/policies/kustomization.yaml
|
|
# Security policies for cluster-wide enforcement
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
resources:
|
|
- disallow-privileged.yaml
|
|
- require-resource-limits.yaml
|
|
- require-labels.yaml
|
|
- require-non-root.yaml
|
|
- disallow-latest-tag.yaml
|
|
- add-default-securitycontext.yaml
|