From 02dfbf8afd122a4ef8f427a7570ede0b5b4f6134 Mon Sep 17 00:00:00 2001 From: QuentinBisson Date: Mon, 8 Jun 2026 12:15:04 +0200 Subject: [PATCH] fix: add Kyverno mutation for kagent declarative agent pod security kagent's upstream sub-agent charts (cilium-policy-agent, promql-agent, etc.) render Agent CRs without securityContext in spec.declarative.deployment. The kagent controller therefore creates Deployments without the fields required by GS restricted-PSS Kyverno policies, which blocks reconciliation. Add a ClusterPolicy that mutates Deployments in the kagent namespace at admission time, adding the four required fields using Kyverno's +(key) anchor (add-if-absent) so existing values on other Deployments in that namespace are not affected. --- .../declarative-agent-pod-security.yaml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 helm/agentic-platform/templates/kagent/declarative-agent-pod-security.yaml diff --git a/helm/agentic-platform/templates/kagent/declarative-agent-pod-security.yaml b/helm/agentic-platform/templates/kagent/declarative-agent-pod-security.yaml new file mode 100644 index 0000000..bd8d650 --- /dev/null +++ b/helm/agentic-platform/templates/kagent/declarative-agent-pod-security.yaml @@ -0,0 +1,44 @@ +{{- if .Values.kagent.enabled }} +{{- $ns := .Values.kagent.namespaceOverride | default "kagent" }} +# kagent's declarative agent sub-charts (e.g. cilium-policy-agent, promql-agent) +# render Agent CRs without podSecurityContext/securityContext in their deployment +# spec, so the Deployments the kagent controller creates from them are blocked by +# GS's Kyverno restricted-PSS policies. This ClusterPolicy mutates those Deployments +# at admission time, adding the required fields only when absent. +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ include "name" . }}-kagent-declarative-pod-security + labels: + {{- include "labels.common" . | nindent 4 }} + annotations: + policies.kyverno.io/title: Kagent declarative agent pod security + policies.kyverno.io/description: >- + Adds restricted-PSS securityContext fields to Deployments created by the + kagent controller in the {{ $ns }} namespace when those fields are absent. +spec: + rules: + - name: add-pod-security-context + match: + any: + - resources: + kinds: [Deployment] + namespaces: [{{ $ns }}] + mutate: + patchStrategicMerge: + spec: + template: + spec: + securityContext: + +(runAsNonRoot): true + +(seccompProfile): + type: RuntimeDefault + containers: + - (name): "?*" + securityContext: + +(allowPrivilegeEscalation): false + +(capabilities): + drop: [ALL] + +(seccompProfile): + type: RuntimeDefault +{{- end }}