diff --git a/charter/BigBangPackages.md b/charter/BigBangPackages.md index 7f5b7e9939fd2b30c0827f7c4b913d8a7f482751..bf08093e781945902e2fcf060eff30f5040b3a3f 100644 --- a/charter/BigBangPackages.md +++ b/charter/BigBangPackages.md @@ -151,7 +151,9 @@ Owners: ### Policy Enforcement -The Policy Enforcement Package installs the Open Policy Agent Gatekeeper [Operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/). +Policy Enforcement is done in Big Bang by either Open Policy Agent Gatekeeper (OPA Gatekeeper for short) or Kyverno. + +#### OPA Gatekeeper Product: @@ -168,6 +170,24 @@ Owners: * [CODEOWNERS](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/CODEOWNERS) +#### Kyverno + +Product: + +* [Kyverno](https://github.com/kyverno/kyverno) +* [Kyverno Policy Reporter](https://github.com/kyverno/policy-reporter) + +Repository: + +* [Kyverno](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno) +* [Kyverno Policies](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies) + +Dependencies: None + +Owners: + +* [CODEOWNERS](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/CODEOWNERS) + ### Monitoring Monitoring is provided by Prometheus, Grafana and Thanos. diff --git a/charter/packages/kyverno/Architecture.md b/charter/packages/kyverno/Architecture.md new file mode 100644 index 0000000000000000000000000000000000000000..1f3f74c2690086fcb504f53712a4ef5d849de6ab --- /dev/null +++ b/charter/packages/kyverno/Architecture.md @@ -0,0 +1,53 @@ +# Kyverno + +## Overview + +Kyverno is a policy engine designed for Kubernetes, where policies are managed as Kubernetes resources rather than with some domain-specific language. Kyverno policies can be managed by kubectl, git, and kustomize just like app deployments. Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security, among other things. + +## Big Bang Touch Points + +### Architecture: +- [How Kyverno works](https://kyverno.io/docs/introduction/#how-kyverno-works) + +### Storage + +Data from Kyverno is not stored by the app directly, it is stored as objects in the Kubernetes API. + +### Istio Configuration + +When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1. + +```yaml +kyvernopolicies: + values: + exclude: + any: + # Allows k3d load balancer to bypass policies. + - resources: + namespaces: + - istio-system + names: + - svclb-* +``` + +## High Availability + +High availability is accomplished by increasing the replicas in the values file of this helm chart. The recommended replica counts for HA is at least 3 which is enabled by default in BigBang chart. + +```yaml +kyverno: + values: + replicaCount: 3 +``` + +## Single Sign on (SSO) + +None. This service doesn't have a web interface. + +## Licencing + +[Apache 2.0 License](https://github.com/kyverno/kyverno/blob/main/LICENSE) + +## Dependencies + +kyverno is a dependency of kyvernopolicies. KyvernoPolicies is a collection of Kyverno security and best-practice policies for Kyverno diff --git a/docs/guides/prerequisites/minimum_hardware_requirements.xlsx b/docs/guides/prerequisites/minimum_hardware_requirements.xlsx index b616db38a16421279cc153cc88ac34d8c03fa0ff..ebd2f2a25b7662aee2c778cd7cf6122d48883a50 100644 Binary files a/docs/guides/prerequisites/minimum_hardware_requirements.xlsx and b/docs/guides/prerequisites/minimum_hardware_requirements.xlsx differ diff --git a/docs/understanding_bigbang/licensing_expectations.md b/docs/understanding_bigbang/licensing_expectations.md index bc83001735fe9c2583348617cd207075a2932961..ca331e600493304467fed265256fca9e45459725 100644 --- a/docs/understanding_bigbang/licensing_expectations.md +++ b/docs/understanding_bigbang/licensing_expectations.md @@ -43,6 +43,7 @@ Licensing of products deployable by BigBang are not covered by the BigBang team. |-----------------------------------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | FluxCD | GitOps (Prerequisite App) | Apache License 2.0 (Free/OSS) | | | Open Policy Agent Gatekeeper | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * [Styra](https://www.openpolicyagent.org/support) is the original creator of OPA and can offer commercial support. | +| Kyverno | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * Kyverno is a fully open-source product, however there are [multiple companies](https://kyverno.io/support/) which provide paid support services for it. | | Istio Controlplane, Istio Operator, and Kiali | Service Mesh, Operator, and Service Mesh Dashboard (Core App) | Apache License 2.0 (Free/OSS) | * [Tetrate](https://www.tetrate.io/) is an Istio Vendor that can offer commercial support. | | Jaeger | APM (Application Performance Monitoring) / Tracing (Core App) | Apache License 2.0 (Free/OSS) | | | Prometheus Operator Stack (Prometheus, Grafana, AlertManager, etc.) | Metrics, Metrics Dashboard, and Alerts (Core App) | Apache License 2.0 [Future versions will move to GNU Affero GPL v3](https://grafana.com/blog/2021/04/20/grafana-loki-tempo-relicensing-to-agplv3/) (Free/OSS) | |