UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Commit e6de51b1 authored by Micah Nagel's avatar Micah Nagel
Browse files

Merge branch 'kyverno-docs' into 'master' 

Kyverno docs

Closes #1129

See merge request platform-one/big-bang/bigbang!1551
parents d6608be4 39dba627
No related branches found
No related tags found
1 merge request!1551Kyverno docs
Hide whitespace changes
Inline Side-by-side
charter/BigBangPackages.md
+ 21
1
View file @ e6de51b1
......@@ -151,7 +151,9 @@ Owners:
### Policy Enforcement
The Policy Enforcement Package installs the Open Policy Agent Gatekeeper [Operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/).
Policy Enforcement is done in Big Bang by either Open Policy Agent Gatekeeper (OPA Gatekeeper for short) or Kyverno.
#### OPA Gatekeeper
Product:
......@@ -168,6 +170,24 @@ Owners:
* [CODEOWNERS](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/CODEOWNERS)
#### Kyverno
Product:
* [Kyverno](https://github.com/kyverno/kyverno)
* [Kyverno Policy Reporter](https://github.com/kyverno/policy-reporter)
Repository:
* [Kyverno](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno)
* [Kyverno Policies](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies)
Dependencies: None
Owners:
* [CODEOWNERS](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/CODEOWNERS)
### Monitoring
Monitoring is provided by Prometheus, Grafana and Thanos.
......
charter/packages/kyverno/Architecture.md 0 → 100644
+ 53
0
View file @ e6de51b1
# Kyverno
## Overview
Kyverno is a policy engine designed for Kubernetes, where policies are managed as Kubernetes resources rather than with some domain-specific language. Kyverno policies can be managed by kubectl, git, and kustomize just like app deployments. Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security, among other things.
## Big Bang Touch Points
### Architecture:
- [How Kyverno works](https://kyverno.io/docs/introduction/#how-kyverno-works)
### Storage
Data from Kyverno is not stored by the app directly, it is stored as objects in the Kubernetes API.
### Istio Configuration
When deploying to k3d, istio-system should be added from `excludedNamespaces` under the `allowedDockerRegistries` violations. This can be done by modifying `chart/values.yaml` file or passing an override file with the values set as seen below. This is for development purposes only: production should not allow containers in the `istio-system` namespace to be pulled from outside of Registry1.
```yaml
kyvernopolicies:
values:
exclude:
any:
# Allows k3d load balancer to bypass policies.
- resources:
namespaces:
- istio-system
names:
- svclb-*
```
## High Availability
High availability is accomplished by increasing the replicas in the values file of this helm chart. The recommended replica counts for HA is at least 3 which is enabled by default in BigBang chart.
```yaml
kyverno:
values:
replicaCount: 3
```
## Single Sign on (SSO)
None. This service doesn't have a web interface.
## Licencing
[Apache 2.0 License](https://github.com/kyverno/kyverno/blob/main/LICENSE)
## Dependencies
kyverno is a dependency of kyvernopolicies. KyvernoPolicies is a collection of Kyverno security and best-practice policies for Kyverno
docs/guides/prerequisites/minimum_hardware_requirements.xlsx
+ 0
0
View file @ e6de51b1
No preview for this file type
docs/understanding_bigbang/licensing_expectations.md
+ 1
0
View file @ e6de51b1
......@@ -43,6 +43,7 @@ Licensing of products deployable by BigBang are not covered by the BigBang team.
|-----------------------------------------------------------------------|---------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| FluxCD | GitOps (Prerequisite App) | Apache License 2.0 (Free/OSS) | |
| Open Policy Agent Gatekeeper | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * [Styra](https://www.openpolicyagent.org/support) is the original creator of OPA and can offer commercial support. |
| Kyverno | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * Kyverno is a fully open-source product, however there are [multiple companies](https://kyverno.io/support/) which provide paid support services for it. |
| Istio Controlplane, Istio Operator, and Kiali | Service Mesh, Operator, and Service Mesh Dashboard (Core App) | Apache License 2.0 (Free/OSS) | * [Tetrate](https://www.tetrate.io/) is an Istio Vendor that can offer commercial support. |
| Jaeger | APM (Application Performance Monitoring) / Tracing (Core App) | Apache License 2.0 (Free/OSS) | |
| Prometheus Operator Stack (Prometheus, Grafana, AlertManager, etc.) | Metrics, Metrics Dashboard, and Alerts (Core App) | Apache License 2.0 [Future versions will move to GNU Affero GPL v3](https://grafana.com/blog/2021/04/20/grafana-loki-tempo-relicensing-to-agplv3/) (Free/OSS) | |
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED - NO CUI