Skip to content

Commit

Permalink
Remove all Kyverno leftovers
Browse files Browse the repository at this point in the history
  • Loading branch information
bastjan committed Sep 19, 2024
1 parent f758ae8 commit 31a22ce
Show file tree
Hide file tree
Showing 52 changed files with 68 additions and 7,312 deletions.
2 changes: 0 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,3 @@

# Additional entries
jsonnetfile.json
tests/kyverno/*/compiled
tools/render/render
1 change: 0 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ SHELL := bash
.SUFFIXES:

include Makefile.vars.mk
include Makefile.kyverno.mk

.PHONY: help
help: ## Show this help
Expand Down
21 changes: 0 additions & 21 deletions Makefile.kyverno.mk

This file was deleted.

4 changes: 0 additions & 4 deletions class/appuio-cloud.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,8 @@ parameters:
output_path: apps/
- input_paths:
- appuio-cloud/component/main.jsonnet
- appuio-cloud/component/namespace-policies.jsonnet
- appuio-cloud/component/project-template.jsonnet
- appuio-cloud/component/quota-limitrange.jsonnet
- appuio-cloud/component/namespace-quota.jsonnet
- appuio-cloud/component/build-strategy.jsonnet
- appuio-cloud/component/runonce-activedeadlineseconds.jsonnet
- appuio-cloud/component/monitoring.jsonnet
- appuio-cloud/component/cluster-roles.jsonnet
input_type: jsonnet
Expand Down
21 changes: 0 additions & 21 deletions class/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,6 @@ parameters:

secrets: {}

# Disables Kyverno policies deployed.
# possible values: [usage-profiles]
agent_feature_set: []

# Allows to generically disable a Kyverno ClusterPolicy
disable_kyverno_cluster_policies: []

agent:
replicas: 3
# Customize agent deployment resource requests & limits
Expand Down Expand Up @@ -130,15 +123,12 @@ parameters:
# Roles are not supported for the APPUiO Cloud Agent. Should be left empty.
roles: {}
# In APPUiO Cloud Agent ClusterRoles are only ever matched if they are bound through a ClusterRoleBinding,
# this is different from the behavior of Kyverno.
# This is done to prevent a user from wrongly configuring a low-privileged ClusterRole which users
# can then bind to themselves to bypass the restrictions.
clusterRoles:
cluster-admin: cluster-admin
cluster-image-registry-operator: cluster-image-registry-operator
cluster-node-tuning-operator: cluster-node-tuning-operator
kyverno:generatecontroller: kyverno:generatecontroller
kyverno:policycontroller: kyverno:policycontroller
multus-admission-controller-webhook: multus-admission-controller-webhook
openshift-dns-operator: openshift-dns-operator
openshift-ingress-operator: openshift-ingress-operator
Expand Down Expand Up @@ -197,13 +187,6 @@ parameters:
- kubectl.kubernetes.io/last-applied-configuration
appuioUserDefined: custom.appuio.io/*
runOnceActiveDeadlineSecondsOverride: ${appuio_cloud:runOnceActiveDeadlineSeconds:overrideAnnotationKey}
# If using mutate, Kyverno appends an annotation to debug the mutate patches.
# The annotation is appended in the context of the original requestor.
# Thus we have to whitelist the annotation or the later validation rejects the request.
# This should be safe because:
# - The annotation is only for debugging and not referenced elsewhere.
# - The mutating policies are validated with a validation rule too.
kyvernoMutateLabel: policies.kyverno.io/last-applied-patches
defaultNamespaceNodeSelectorAnnotation: ${appuio_cloud:agent:config:DefaultNamespaceNodeSelectorAnnotation}

maxNamespaceQuota: 25
Expand All @@ -212,7 +195,6 @@ parameters:
generatedResourceQuota:
# See https://kb.vshn.ch/appuio-cloud/references/quality-requirements/performance/resource-quota.html
organization-objects:
synchronize: true
spec:
hard:
count/configmaps: "150"
Expand All @@ -237,7 +219,6 @@ parameters:
rbd-storagepool-cluster.storageclass.storage.k8s.io/requests.storage: 25Gi

organization-compute:
synchronize: true
spec:
hard:
requests.cpu: 4
Expand All @@ -249,7 +230,6 @@ parameters:
- NotTerminating

organization-compute-terminating:
synchronize: true
spec:
hard:
limits.cpu: 4000m
Expand All @@ -262,7 +242,6 @@ parameters:

generatedLimitRange:
name: organization
synchronize: true
limits:
"Container":
min:
Expand Down
2 changes: 1 addition & 1 deletion component/agent.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ local configMap =
_allowedLabels:: null,

local legacyDefaultResourceQuotas = super._LegacyDefaultResourceQuotas,
LegacyDefaultResourceQuotas: std.foldl(function(prev, k) prev { [k]: legacyDefaultResourceQuotas[k] + legacyDefaultResourceQuotas[k].spec { synchronize:: null, spec:: null } }, std.objectFields(legacyDefaultResourceQuotas), {}),
LegacyDefaultResourceQuotas: std.foldl(function(prev, k) prev { [k]: legacyDefaultResourceQuotas[k] + legacyDefaultResourceQuotas[k].spec { spec:: null } }, std.objectFields(legacyDefaultResourceQuotas), {}),
_LegacyDefaultResourceQuotas:: null,

local legacyDefaultLimitRange = super._LegacyDefaultLimitRange,
Expand Down
85 changes: 0 additions & 85 deletions component/common.libsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -13,96 +13,11 @@ local defaultLabels = {
},
};

local orgLabelSelector = {
matchExpressions: [
{
key: 'appuio.io/organization',
operator: 'Exists',
},
],
};

local flattenSet(set) = std.flatMap(function(s)
if std.isArray(set[s]) then set[s] else [ set[s] ],
std.objectFields(std.prune(set)));


local ifNotEmpty(key, array) = if std.length(array) > 0 then [ { [key]: array } ] else [];
/**
* bypassNamespaceRestrictionsSubjects returns an object containing the configured roles and subjects
* allowed to bypass restrictions.
*/
local bypassNamespaceRestrictionsSubjects() =
local bypass = params.bypassNamespaceRestrictions;
{
any:
ifNotEmpty('clusterRoles', flattenSet(bypass.clusterRoles)) +
ifNotEmpty('roles', flattenSet(bypass.roles)) +
ifNotEmpty('subjects', flattenSet(bypass.subjects)),
};

local matchKinds(selector=null, names=null, match='all', kinds) = {
[match]+: [ {
resources+: std.prune({
kinds+: kinds,
selector+: selector,
names+: names,
}),
} ],
};

local matchNamespaces(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'Namespace' ]);

local matchProjectRequests(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'ProjectRequest' ]);

local matchRoleBindings(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'rbac.authorization.k8s.io/v1/RoleBinding' ]);

local matchOrgNamespaces = matchNamespaces(selector=orgLabelSelector);

local matchNamespacesAndProjectRequests(selector=null, names=null, match='all') =
matchKinds(selector, names, match, kinds=[ 'Namespace', 'ProjectRequest' ]);

local kyvernoPatternToRegex = function(pattern)
'^%s$' % std.strReplace(std.strReplace(pattern, '?', '.'), '*', '.*');

local jsonnetFile(filename) =
local parts = std.split(filename, '/');
local pcount = std.length(parts);
'%s/%s' % [ parts[pcount - 2], parts[pcount - 1] ];


local agentFeatureEnabled(name) =
local knownFeatures = [ 'usage-profiles' ];
assert std.member(knownFeatures, name) : 'Unknown agent feature "%s"' % name;
std.member(params.agent_feature_set, name);

local disabledPolicies = std.prune(params.disable_kyverno_cluster_policies);

local removeDisabledPolicies = function(policies)
{
[p]: policies[p]
for p in std.filter(
function(pk)
local policy = policies[pk];
!std.isObject(policy) || policy.apiVersion != 'kyverno.io/v1' || policy.kind != 'ClusterPolicy' || std.length(std.find(policy.metadata.name, disabledPolicies)) == 0,
std.objectFields(policies)
)
};

{
// Remove disabled Kyverno policies
// Takes a dict with kubernetes resources and removes kyverno.io/v1.ClusterPolicy manifests that are disabled
RemoveDisabledPolicies: removeDisabledPolicies,
// AgentFeatureEnabled returns true if the given feature is enabled.
AgentFeatureEnabled: agentFeatureEnabled,
DefaultLabels: defaultLabels,
FlattenSet: flattenSet,
BypassNamespaceRestrictionsSubjects: bypassNamespaceRestrictionsSubjects,
MatchNamespaces: matchNamespaces,
MatchNamespacesAndProjectRequests: matchNamespacesAndProjectRequests,
MatchOrgNamespaces: matchOrgNamespaces,
MatchProjectRequests: matchProjectRequests,
MatchRoleBindings: matchRoleBindings,
KyvernoPatternToRegex: kyvernoPatternToRegex,
JsonnetFile: jsonnetFile,
}
Loading

0 comments on commit 31a22ce

Please sign in to comment.