Merge pull request #384 from utilitywarehouse/as-kyverno-canary

add kyverno canary policy and resource for alert
utilitywarehouse · Oct 22, 2024 · e58efd0 · e58efd0
2 parents 03aab87 + 777066e
commit e58efd0
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 1 deletion.
diff --git a/kyverno/deploy/kyverno-reports-controller-args-patch.yaml b/kyverno/deploy/kyverno-reports-controller-args-patch.yaml
@@ -13,5 +13,4 @@ spec:
             - --policyReports=false
             - --validatingAdmissionPolicyReports=false # Already default, but guarding future changes by explicitly setting
             - -v=0
-            - --backgroundScan=false
           name: controller
diff --git a/kyverno/policies/canary-resource.yaml b/kyverno/policies/canary-resource.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-canary-resource
diff --git a/kyverno/policies/canary/canary.yaml b/kyverno/policies/canary/canary.yaml
@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: canary-resources
+  annotations:
+    policies.kyverno.io/title: Canary rule to detect canary resources
+    policies.kyverno.io/category: Canary
+    policies.kyverno.io/description: >-
+      This is the canary rule which detects canary resources in the cluster.
+      This is to alert on stopped or missing background scan report alerts.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: detect-canary-configmap
+      match:
+        resources:
+          kinds:
+            - ConfigMap
+          names:
+            - kyverno-canary-resource
+      validate:
+        message: "Found kyverno canary configMap in the cluster"
+        deny: {}
diff --git a/kyverno/policies/canary/kustomization.yaml b/kyverno/policies/canary/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - canary.yaml
diff --git a/kyverno/policies/canary/test/kyverno-test.yaml b/kyverno/policies/canary/test/kyverno-test.yaml
@@ -0,0 +1,24 @@
+name: test-canary-rules
+policies:
+  - ../canary.yaml
+resources:
+  - test-canary.yaml
+variables: values.yaml
+results:
+  - policy: canary-resources
+    rule: detect-canary-configmap
+    kind: ConfigMap
+    resource: kyverno-canary-resource
+    result: fail
+
+  - policy: canary-resources
+    rule: detect-canary-configmap
+    kind: ConfigMap
+    resource: argocd-cmd-params-cm
+    result: skip
+
+  - policy: canary-resources
+    rule: detect-canary-configmap
+    kind: ServiceAccount
+    resource: kyverno-canary-resource
+    result: skip
diff --git a/kyverno/policies/canary/test/test-canary.yaml b/kyverno/policies/canary/test/test-canary.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-canary-resource
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+data:
+  application.namespaces: "*"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kyverno-canary-resource
diff --git a/kyverno/policies/canary/test/values.yaml b/kyverno/policies/canary/test/values.yaml
@@ -0,0 +1,4 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+globalValues:
+  request.operation: UPDATE
diff --git a/kyverno/policies/kustomization.yaml b/kyverno/policies/kustomization.yaml
@@ -2,9 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - argocd/
+  - canary/
   - certificates/
   - ingress/
   - namespaces/
   - pods/
   - serviceaccounts/
   - services/
+
+  - canary-resource.yaml