feat: WIP flags to audit/enforce mode on policies and enable disable …

…policy installation
sighupio · Jan 16, 2024 · 5dd986a · 5dd986a
1 parent 45861b1
commit 5dd986a
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/defaults/onpremises-kfd-v1alpha2.yaml b/defaults/onpremises-kfd-v1alpha2.yaml
@@ -205,6 +205,8 @@ data:
       kyverno:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
+        validationFailureAction: enforce
+        installDefaultPolicies: true
     # dr module configuration
     dr:
       type: none

diff --git a/kfd.yaml b/kfd.yaml
@@ -10,7 +10,7 @@ modules:
   ingress: v2.2.0
   logging: v3.3.1
   monitoring: v3.0.1
-  opa: v1.11.0
+  opa: v1.11.1-rc.0
   networking: v1.15.0
   tracing: v1.0.2
 kubernetes:

diff --git a/schemas/public/onpremises-kfd-v1alpha2.json b/schemas/public/onpremises-kfd-v1alpha2.json
@@ -1284,10 +1284,18 @@
             "type": "string"
           }
         },
+        "validationFailureAction": {
+          "type": "string",
+          "enum": ["audit", "enforce"]
+        },
+        "installDefaultPolicies": {
+          "type": "boolean"
+        },
         "overrides": {
           "$ref": "#/$defs/Types.FuryModuleComponentOverrides"
         }
-      }
+      },
+      "required": ["validationFailureAction", "installDefaultPolicies"]
     },
     "Spec.Distribution.Modules.Dr": {
       "type": "object",

diff --git a/templates/distribution/manifests/opa/kustomization.yaml.tpl b/templates/distribution/manifests/opa/kustomization.yaml.tpl
@@ -17,7 +17,10 @@ resources:
 {{- end }}
 {{- end }}
 {{- if eq .spec.distribution.modules.policy.type "kyverno" }}
-  - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/kyverno" }}
+  - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/kyverno/core" }}
+{{- if .spec.distribution.modules.policy.kyverno.installDefaultPolicies }}
+  - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/kyverno/policies" }}
+{{- end }}
 {{- end }}
 
 patchesStrategicMerge:
@@ -26,6 +29,17 @@ patchesStrategicMerge:
   - patches/kyverno-whitelist-namespace.yml
 {{- end }}
 
+
+{{- if .spec.distribution.modules.policy.kyverno.installDefaultPolicies }}
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/validationFailureAction
+        value: {{ .spec.distribution.modules.policy.kyverno.validationFailureAction }}
+    target:
+      kind: ClusterPolicy
+{{- end }}
+
 {{ if .spec.distribution.modules.policy.gatekeeper.additionalExcludedNamespaces }}
 patchesJson6902:
   - target: