File tree Expand file tree Collapse file tree
argo-cd-apps/base/internal
components/policies/internal-staging
block-signing-server-access Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -9,3 +9,4 @@ resources:
99 - cert-manager
1010 - konflux-support-ops
1111 - konflux-devlake
12+ - policies
Original file line number Diff line number Diff line change 1+ apiVersion : argoproj.io/v1alpha1
2+ kind : ApplicationSet
3+ metadata :
4+ name : policies
5+ spec :
6+ generators :
7+ - clusters :
8+ values :
9+ sourceRoot : components/policies
10+ environment : " "
11+ template :
12+ metadata :
13+ name : policies-{{nameNormalized}}
14+ spec :
15+ project : default
16+ source :
17+ path : ' {{values.sourceRoot}}/{{values.environment}}'
18+ repoURL : https://github.com/redhat-appstudio/infra-common-deployments.git
19+ targetRevision : main
20+ destination :
21+ namespace : konflux-policies
22+ name : in-cluster
23+ syncPolicy :
24+ automated :
25+ prune : true
26+ selfHeal : true
27+ syncOptions :
28+ - CreateNamespace=true
29+ - ServerSideApply=true
30+ retry :
31+ limit : 50
32+ backoff :
33+ duration : 10s
34+ factor : 2
35+ maxDuration : 3m
Original file line number Diff line number Diff line change 1+ apiVersion : kustomize.config.k8s.io/v1beta1
2+ kind : Kustomization
3+ resources :
4+ - appset.yaml
Original file line number Diff line number Diff line change 1+ apiVersion : kyverno.io/v1
2+ kind : ClusterPolicy
3+ metadata :
4+ name : block-signing-server-access
5+ status :
6+ conditions :
7+ - reason : Succeeded
8+ status : " True"
9+ type : Ready
10+
Original file line number Diff line number Diff line change 1+ ---
2+ apiVersion : chainsaw.kyverno.io/v1alpha1
3+ kind : Test
4+ metadata :
5+ name : egressfirewall-created-in-all-ns-but-one
6+ spec :
7+ concurrent : false
8+ description : |
9+ Tests that the ClusterPolicy for generating EgressFirewall is
10+ is creating the EgressFirewall in all namespace expect in internal-services.
11+ steps :
12+ - name : setup-crd
13+ try :
14+ - apply :
15+ file : resources/mock-egressfirewall-crd.yaml
16+ - assert :
17+ file : resources/mock-egressfirewall-crd.yaml
18+ - name : setup-permissions
19+ try :
20+ - apply :
21+ file : ../kyverno_rbac.yaml
22+ - name : Apply Kyverno ClusterPolicy and assert it exists
23+ try :
24+ - apply :
25+ file : ../block-signing-server-access.yaml
26+ - assert :
27+ file : chainsaw-assert-clusterpolicy.yaml
28+ - name : create-test-namespace
29+ try :
30+ - apply :
31+ resource :
32+ apiVersion : v1
33+ kind : Namespace
34+ metadata :
35+ name : test-ns
36+ - sleep :
37+ duration : 5s
38+
39+ - name : verify-egress-firewall-created
40+ try :
41+ - assert :
42+ resource :
43+ apiVersion : k8s.ovn.org/v1
44+ kind : EgressFirewall
45+ metadata :
46+ name : default
47+ namespace : test-ns
48+ - name : create-internal-services-namespace
49+ try :
50+ - apply :
51+ resource :
52+ apiVersion : v1
53+ kind : Namespace
54+ metadata :
55+ name : internal-services
56+ - sleep :
57+ duration : 5s
58+ - name : verify-no-egress-firewall-in-internal-services
59+ try :
60+ - script :
61+ content : |
62+ kubectl get egressfirewall default -n internal-services 2>&1 | grep -q "NotFound"
63+ check :
64+ ($error == null) : true
Original file line number Diff line number Diff line change 1+ apiVersion : apiextensions.k8s.io/v1
2+ kind : CustomResourceDefinition
3+ metadata :
4+ name : egressfirewalls.k8s.ovn.org
5+ spec :
6+ group : k8s.ovn.org
7+ names :
8+ kind : EgressFirewall
9+ listKind : EgressFirewallList
10+ plural : egressfirewalls
11+ singular : egressfirewall
12+ shortNames :
13+ - egressfw
14+ scope : Namespaced
15+ versions :
16+ - name : v1
17+ served : true
18+ storage : true
19+ schema :
20+ openAPIV3Schema :
21+ type : object
22+ properties :
23+ spec :
24+ type : object
25+ properties :
26+ egress :
27+ type : array
28+ items :
29+ type : object
30+ properties :
31+ type :
32+ type : string
33+ enum :
34+ - Allow
35+ - Deny
36+ to :
37+ type : object
38+ properties :
39+ cidrSelector :
40+ type : string
41+ dnsName :
42+ type : string
43+ status :
44+ type : object
45+ x-kubernetes-preserve-unknown-fields : true
46+ subresources :
47+ status : {}
Original file line number Diff line number Diff line change 1+ apiVersion : kyverno.io/v1
2+ kind : ClusterPolicy
3+ metadata :
4+ name : block-signing-server-access
5+ annotations :
6+ policies.kyverno.io/title : Block signing server access
7+ policies.kyverno.io/category : Firewall
8+ policies.kyverno.io/subject : EgressFirewall
9+ policies.kyverno.io/description : >-
10+ This policy automatically generates an EgressFirewall resource in all
11+ namespaces except the 'internal-services' namespace to block access to the signing server.
12+ spec :
13+ background : true
14+ rules :
15+ - name : generate-egress-firewall
16+ match :
17+ any :
18+ - resources :
19+ kinds :
20+ - /v1/Namespace
21+ exclude :
22+ any :
23+ - resources :
24+ namespaces :
25+ - internal-services
26+ generate :
27+ generateExisting : true
28+ apiVersion : k8s.ovn.org/v1
29+ kind : EgressFirewall
30+ name : default
31+ namespace : " {{request.object.metadata.name}}"
32+ synchronize : true
33+ data :
34+ spec :
35+ egress :
36+ - to :
37+ dnsName : signserver.devel.redhat.com
38+ type : Deny
Original file line number Diff line number Diff line change 1+ apiVersion : kustomize.config.k8s.io/v1beta1
2+ kind : Kustomization
3+ resources :
4+ - block-signing-server-access.yaml
5+ - kyverno_rbac.yaml
Original file line number Diff line number Diff line change 1+ ---
2+ apiVersion : rbac.authorization.k8s.io/v1
3+ kind : ClusterRole
4+ metadata :
5+ name : kyverno-admission:viewer-egressfirewall
6+ labels :
7+ rbac.kyverno.io/aggregate-to-admission-controller : " true"
8+ rules :
9+ - apiGroups :
10+ - k8s.ovn.org
11+ resources :
12+ - egressfirewalls
13+ verbs :
14+ - list
15+ - get
16+ ---
17+ apiVersion : rbac.authorization.k8s.io/v1
18+ kind : ClusterRole
19+ metadata :
20+ name : kyverno-background:manage-egressfirewall
21+ labels :
22+ rbac.kyverno.io/aggregate-to-background-controller : " true"
23+ rules :
24+ - apiGroups :
25+ - k8s.ovn.org
26+ resources :
27+ - egressfirewalls
28+ verbs :
29+ - create
30+ - get
31+ - list
32+ - delete
33+ - update
Original file line number Diff line number Diff line change 1+ apiVersion : kustomize.config.k8s.io/v1beta1
2+ kind : Kustomization
3+ resources :
4+ - block-signing-server-access
You can’t perform that action at this time.
0 commit comments