feat: onyx cluster

chart/values.entei.onyx.yaml

@@ -0,0 +1,156 @@
+serviceTree:
+  landscape: &landscape entei
+  cluster: onyx
+
+
+commonExclude:
+  annotaions: &annotationExclude
+    - "*-cleanup-controller-*"
+  labels: &labelExclude
+    - "*-cleanup-controller-*"
+    - "*-silicon-*"
+
+globalExcludedNamespace: &globalExcludedNamespace
+  - kube-system
+  - pichu
+  - pikachu
+  - raichu
+
+kyverno-policies:
+  podSecurityStandard: baseline
+  podSecuritySeverity: medium
+  validationFailureAction: Audit
+  policyExclude:
+    disallow-capabilities:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-namespaces:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-path:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+    disallow-host-ports:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-process:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privileged-containers:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-proc-mount:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-selinux:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-apparmor-profiles:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-sysctls:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-seccomp:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privilege-escalation:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-otel*"
+              - "*ingress-nginx-controller*"
+              - "*-target-allocator-targetallocator-*"
+    require-run-as-non-root-user:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-target-allocator-targetallocator-*"
+    require-run-as-nonroot:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+              - "*-target-allocator-targetallocator-*"
+    restrict-seccomp-strict:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-volume-types:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+policies:
+  requireAtomiCloudAnnotations:
+    exclude:
+      names: *annotationExclude
+
+  requireAtomiCloudLabels:
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeLabel:
+    value: *landscape
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeAnnotation:
+    value: *landscape
+    exclude:
+      names: *annotationExclude
+
+  checkLayerLabel:
+    exclude:
+      names: *labelExclude
+
+  checkLayerAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  checkPlatformLabel:
+    exclude:
+      names: *labelExclude
+
+  checkPlatformAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  requireRequestLimits:
+    exclude:
+      names:
+        - "*-target-allocator-targetallocator-*"

chart/values.pichu.onyx.yaml

@@ -0,0 +1,134 @@
+serviceTree:
+  landscape: &landscape pichu
+  cluster: onyx
+
+commonExclude:
+  annotations: &annotationExclude
+    - "*-cleanup-controller-*"
+  labels: &labelExclude
+    - "*-cleanup-controller-*"
+    - "*-silicon-*"
+    - "tin-livecache*"
+
+globalExcludedNamespace: &globalExcludedNamespace
+  - kube-system
+
+kyverno-policies:
+  podSecurityStandard: baseline
+  podSecuritySeverity: medium
+  validationFailureAction: Audit
+  policyExclude:
+    disallow-capabilities:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-namespaces:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-path:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-container-logs-collector*"
+    disallow-host-ports:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-host-process:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privileged-containers:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-proc-mount:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-selinux:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-apparmor-profiles:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-sysctls:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-seccomp:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    disallow-privilege-escalation:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+        - resources:
+            namespaces:
+              - sulfoxide
+            names:
+              - "*-otel*"
+    require-run-as-non-root-user:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    require-run-as-nonroot:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-seccomp-strict:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+    restrict-volume-types:
+      any:
+        - resources:
+            namespaces: *globalExcludedNamespace
+
+policies:
+  requireAtomiCloudAnnotations:
+    exclude:
+      names: *annotationExclude
+
+  requireAtomiCloudLabels:
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeLabel:
+    value: *landscape
+    exclude:
+      names: *labelExclude
+
+  checkLandscapeAnnotation:
+    value: *landscape
+    exclude:
+      names: *annotationExclude
+
+  checkLayerLabel:
+    exclude:
+      names: *labelExclude
+
+  checkLayerAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  checkPlatformLabel:
+    exclude:
+      names: *labelExclude
+
+  checkPlatformAnnotation:
+    exclude:
+      names: *annotationExclude
+
+  requireRequestLimits:
+    exclude:
+      names:
+        - "*-target-allocator-targetallocator-*"

chart/values.pichu.opal.yaml

@@ -3,11 +3,12 @@ serviceTree:
   cluster: opal
 
 commonExclude:
-  annotaions: &annotationExclude
+  annotations: &annotationExclude
     - "*-cleanup-controller-*"
   labels: &labelExclude
     - "*-cleanup-controller-*"
     - "*-silicon-*"
+    - "tin-livecache*"
 
 globalExcludedNamespace: &globalExcludedNamespace
   - kube-system

chart/values.pichu.ruby.yaml

@@ -3,11 +3,12 @@ serviceTree:
   cluster: ruby
 
 commonExclude:
-  annotaions: &annotationExclude
+  annotations: &annotationExclude
     - "*-cleanup-controller-*"
   labels: &labelExclude
     - "*-cleanup-controller-*"
     - "*-silicon-*"
+    - "tin-livecache*"
 
 globalExcludedNamespace: &globalExcludedNamespace
   - kube-system