UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Select Git revision
  • update-gitlab-tag-8.10.1-bb.0
  • update-nexus-tag-77.1.0-bb.0
  • update-elasticsearch-kibana-tag-1.28.0-bb.2
  • 2623-remove-holocron-from-bb-packages
  • update-fortify-tag-1.1.2320154-bb.23
  • update-elasticsearch-kibana-tag-1.28.0-bb.1
  • update-fortify-tag-1.1.2320154-bb.24
  • update-thanos-tag-15.9.1-bb.3
  • update-mimir-tag-5.5.1-bb.11
  • update-kyverno-reporter-tag-3.0.3-bb.1
  • update-velero-tag-8.4.0-bb.1
  • master default protected
  • update-twistlock-tag-0.19.0-bb.5
  • update-grafana-tag-8.10.4-bb.1
  • update-fluentbit-tag-0.48.9-bb.0
  • update-kiali-tag-2.6.0-bb.1
  • test-nexus
  • TEST-ONLY-DO-NOT_MERGE-Kyvern0-test
  • update-nexus-tag-77.1.0-bb.1
  • update-elasticsearch-kibana-tag-1.28.0-bb.0
  • 2.49.0 protected
  • 2.49.0-rc.2 protected
  • 2.49.0-rc.1 protected
  • 2.49.0-rc.0 protected
  • 2.48.0 protected
  • 2.48.0-rc.4 protected
  • 2.48.0-rc.3 protected
  • 2.48.0-rc.2 protected
  • 2.48.0-rc.1 protected
  • 2.47.0 protected
  • 2.47.0-rc.2 protected
  • 2.47.0-rc.1 protected
  • 2.47.0-rc.0 protected
  • 2.46.0 protected
  • 2.46.0-rc.0 protected
  • 2.45.1 protected
  • 2.45.1-rc.0 protected
  • 2.45.0 protected
  • 2.45.0-rc.0 protected
  • 2.44.0 protected
40 results
Blame Permalink
3
values.yaml 35.31 KiB 
{{- $pkg := "kyvernoPolicies" }}

{{- if (get .Values $pkg).enabled }}
{{- include "values-secret" (dict "root" $ "package" (dict "values" (fromYaml (include "bigbang.overlays.kyverno-policies" .))) "name" "kyverno-policies" "defaults" (include "bigbang.defaults.kyverno-policies" .)) }}
{{- end }}

{{- define "bigbang.defaults.kyverno-policies" -}}

{{- $deployNodeAgent := (and .Values.addons.velero.enabled (dig "deployNodeAgent" false .Values.addons.velero.values)) }}

waitforready:
  imagePullSecrets:
  - name: private-registry

policies:

  {{- if or .Values.twistlock.enabled .Values.neuvector.enabled }}
  disallow-host-namespaces:
    exclude:
      any:
      {{- if .Values.twistlock.enabled }}
      # Twistlock, by default, does its own network monitoring. hostNetworking is enabled by default for this purpose
      # With hostNetworking enabled, Istio sidecar injection is disabled. If this function is disabled, Twistlock will
      # not be able to self monitor. If both Istio sidecar injection and TL monitoring are disabled, a security gap will
      # be created for network monitoring in Twistlock.  So, it is important to make sure at least one is enabled.
      - resources:
          namespaces:
          - twistlock
          names:
          - twistlock-defender-ds*
      {{- end }}
      {{- if .Values.neuvector.enabled }}
      # Neuvector needs access to host to inspect network traffic
      - resources:
          namespaces:
          - neuvector
          names:
          - neuvector-enforcer-pod*
      {{- end }}
  {{- end }}

  {{- $nodePortIngressGateways := list }}
  {{- range $name, $values := .Values.istio.ingressGateways }}
  {{- if eq $values.type "NodePort" }}
  {{- $nodePortIngressGateways = append $nodePortIngressGateways $name }}
  {{- end }}
  {{- end }}

  {{- range $name, $values := .Values.istio.values.ingressGateways }}
  {{- if eq (dig "k8s" "service" "type" "LoadBalancer" $values) "NodePort" }}
  {{- $nodePortIngressGateways = append $nodePortIngressGateways $name }}
  {{- end }}
  {{- end }}

  # Istio services (istio ingress) can create type: NodePort services
  disallow-nodeport-services:
    validationFailureAction: enforce
    {{- if $nodePortIngressGateways }}
    exclude:
      any:
      - resources:
          kinds:
          - Service
          names:
          {{- range $name := $nodePortIngressGateways }}
          - {{ $name }}
          {{- end }}
          namespaces:
          - "istio-system"
    {{- end }}

UNCLASSIFIED - NO CUI