Skip to content

Commit

Permalink
feat: ruby values
Browse files Browse the repository at this point in the history
  • Loading branch information
@kirinnee
kirinnee committed Nov 18, 2023
1 parent 831fc7b commit 37668bb
Show file tree
Hide file tree
Showing 4 changed files with 555 additions and 0 deletions.
156 changes: 156 additions & 0 deletions chart/values.entei.ruby.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
serviceTree:
landscape: &landscape entei
cluster: ruby


commonExclude:
annotaions: &annotationExclude
- "*-cleanup-controller-*"
labels: &labelExclude
- "*-cleanup-controller-*"
- "*-silicon-*"

globalExcludedNamespace: &globalExcludedNamespace
- kube-system
- pichu
- pikachu
- raichu

kyverno-policies:
podSecurityStandard: baseline
podSecuritySeverity: medium
validationFailureAction: Audit
policyExclude:
disallow-capabilities:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-namespaces:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-path:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
disallow-host-ports:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-process:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-privileged-containers:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-proc-mount:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-selinux:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-apparmor-profiles:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-sysctls:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-seccomp:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-privilege-escalation:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
- "*-otel*"
- "*ingress-nginx-controller*"
- "*-target-allocator-targetallocator-*"
require-run-as-non-root-user:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
- "*-target-allocator-targetallocator-*"
require-run-as-nonroot:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
- "*-target-allocator-targetallocator-*"
restrict-seccomp-strict:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-volume-types:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
policies:
requireAtomiCloudAnnotations:
exclude:
names: *annotationExclude

requireAtomiCloudLabels:
exclude:
names: *labelExclude

checkLandscapeLabel:
value: *landscape
exclude:
names: *labelExclude

checkLandscapeAnnotation:
value: *landscape
exclude:
names: *annotationExclude

checkLayerLabel:
exclude:
names: *labelExclude

checkLayerAnnotation:
exclude:
names: *annotationExclude

checkPlatformLabel:
exclude:
names: *labelExclude

checkPlatformAnnotation:
exclude:
names: *annotationExclude

requireRequestLimits:
exclude:
names:
- "*-target-allocator-targetallocator-*"
133 changes: 133 additions & 0 deletions chart/values.pichu.ruby.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
serviceTree:
landscape: &landscape pichu
cluster: ruby

commonExclude:
annotaions: &annotationExclude
- "*-cleanup-controller-*"
labels: &labelExclude
- "*-cleanup-controller-*"
- "*-silicon-*"

globalExcludedNamespace: &globalExcludedNamespace
- kube-system

kyverno-policies:
podSecurityStandard: baseline
podSecuritySeverity: medium
validationFailureAction: Audit
policyExclude:
disallow-capabilities:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-namespaces:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-path:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-container-logs-collector*"
disallow-host-ports:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-host-process:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-privileged-containers:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-proc-mount:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-selinux:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-apparmor-profiles:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-sysctls:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-seccomp:
any:
- resources:
namespaces: *globalExcludedNamespace
disallow-privilege-escalation:
any:
- resources:
namespaces: *globalExcludedNamespace
- resources:
namespaces:
- sulfoxide
names:
- "*-otel*"
require-run-as-non-root-user:
any:
- resources:
namespaces: *globalExcludedNamespace
require-run-as-nonroot:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-seccomp-strict:
any:
- resources:
namespaces: *globalExcludedNamespace
restrict-volume-types:
any:
- resources:
namespaces: *globalExcludedNamespace

policies:
requireAtomiCloudAnnotations:
exclude:
names: *annotationExclude

requireAtomiCloudLabels:
exclude:
names: *labelExclude

checkLandscapeLabel:
value: *landscape
exclude:
names: *labelExclude

checkLandscapeAnnotation:
value: *landscape
exclude:
names: *annotationExclude

checkLayerLabel:
exclude:
names: *labelExclude

checkLayerAnnotation:
exclude:
names: *annotationExclude

checkPlatformLabel:
exclude:
names: *labelExclude

checkPlatformAnnotation:
exclude:
names: *annotationExclude

requireRequestLimits:
exclude:
names:
- "*-target-allocator-targetallocator-*"
Loading

0 comments on commit 37668bb

Please sign in to comment.