Kyverno Policies for Big Bang CI
In Big Bang CI, we are currently working on switching our policy linting from Gatekeeper rego policies, to using the policies in this package.
The way it is currently being implemented:
- clone this repository to the CI job container
- template out the
kyverno-policieschart and write the raw YAML manifests to the container filesystem - template out [insert Big Bang package name] chart and pipe the output into
kyverno apply, which is pointing to the directory where the kyverno policies were written to
There are a few modifications that need to be done to the policies in this package for them to work in CI for our use-case:
-
The preconditions field needs to be removed on all of the policies that have them
- It appears that most of the preconditions are intended to only execute the policies during
CREATE/UPDATEoperations on the object/pattern it's supposed to match. We are executing the policies as a pre-install linting operation in CI, so these preconditions prevent the policies from executing when present. We are programmatically deleting that field in all policies that have them
- It appears that most of the preconditions are intended to only execute the policies during
-
The
policies.kyverno.io/scored: "false"annotation must be added to all policies except therestrict-image-registries.yamlpolicy.-
When a resource fails a kyverno policy test with this annotation present, kyverno will return a
0exit code and produce a "warn" status with log messages stating what was found, allowing the pipeline to continue running. However, we do not want therestrict-image-registries.yamlpolicy to get the annotation. If that policy is violated (an image that isn't fromregistry.dso.milorregistry1.dso.milis used), then the pipeline should fail. -
registry.dso.milneeds to be added to the allowed list of registries. This could be done programmatically as well
-
My concerns with doing these operations programmatically:
-
It is more difficult to maintain/update if/when there are upstream changes to YAML syntax, annotations, file names, etc since the code that does these things for us makes us further removed from the syntax of the policies.
-
The logic is too dependent on things that could change that other Big Bang developers are unaware of/removed from, making it brittle and potentially prone to bugs that go uncaught
I think it would be valuable to either:
- Make updates to the existing policy templates to make them easier for consumption in CI
- Create/maintain a second copy of policy templates in a directory such as
chart/templates/bigbang-ci/that are tailored for Big Bang CI consumption - Create overrides for all of these values in the chart and add them to
tests/test-values.yamlas overrides for CI
Thoughts on this?