diff --git a/chart/values.pichu.amber.yaml b/chart/values.pichu.amber.yaml new file mode 100644 index 0000000..9e7aa93 --- /dev/null +++ b/chart/values.pichu.amber.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape pichu + cluster: amber + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "*-silicon-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*" diff --git a/chart/values.pichu.topaz.yaml b/chart/values.pichu.topaz.yaml new file mode 100644 index 0000000..1161977 --- /dev/null +++ b/chart/values.pichu.topaz.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape pichu + cluster: topaz + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "*-silicon-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*" diff --git a/chart/values.pikachu.amber.yaml b/chart/values.pikachu.amber.yaml new file mode 100644 index 0000000..cf0440a --- /dev/null +++ b/chart/values.pikachu.amber.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape pikachu + cluster: amber + + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*" diff --git a/chart/values.pikachu.topaz.yaml b/chart/values.pikachu.topaz.yaml new file mode 100644 index 0000000..e6723e2 --- /dev/null +++ b/chart/values.pikachu.topaz.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape pikachu + cluster: topaz + + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*" diff --git a/chart/values.raichu.amber.yaml b/chart/values.raichu.amber.yaml new file mode 100644 index 0000000..d09eb8d --- /dev/null +++ b/chart/values.raichu.amber.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape raichu + cluster: amber + + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*" diff --git a/chart/values.raichu.topaz.yaml b/chart/values.raichu.topaz.yaml new file mode 100644 index 0000000..95f934e --- /dev/null +++ b/chart/values.raichu.topaz.yaml @@ -0,0 +1,134 @@ +serviceTree: + landscape: &landscape raichu + cluster: topaz + + +commonExclude: + annotations: &annotationExclude + - "*-cleanup-controller-*" + labels: &labelExclude + - "*-cleanup-controller-*" + - "tin-livecache*" + +globalExcludedNamespace: &globalExcludedNamespace + - kube-system + +kyverno-policies: + podSecurityStandard: baseline + podSecuritySeverity: medium + validationFailureAction: Audit + policyExclude: + disallow-capabilities: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-namespaces: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-path: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-container-logs-collector*" + disallow-host-ports: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-host-process: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privileged-containers: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-proc-mount: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-selinux: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-apparmor-profiles: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-sysctls: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp: + any: + - resources: + namespaces: *globalExcludedNamespace + disallow-privilege-escalation: + any: + - resources: + namespaces: *globalExcludedNamespace + - resources: + namespaces: + - sulfoxide + names: + - "*-otel*" + require-run-as-non-root-user: + any: + - resources: + namespaces: *globalExcludedNamespace + require-run-as-nonroot: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-seccomp-strict: + any: + - resources: + namespaces: *globalExcludedNamespace + restrict-volume-types: + any: + - resources: + namespaces: *globalExcludedNamespace + +policies: + requireAtomiCloudAnnotations: + exclude: + names: *annotationExclude + + requireAtomiCloudLabels: + exclude: + names: *labelExclude + + checkLandscapeLabel: + value: *landscape + exclude: + names: *labelExclude + + checkLandscapeAnnotation: + value: *landscape + exclude: + names: *annotationExclude + + checkLayerLabel: + exclude: + names: *labelExclude + + checkLayerAnnotation: + exclude: + names: *annotationExclude + + checkPlatformLabel: + exclude: + names: *labelExclude + + checkPlatformAnnotation: + exclude: + names: *annotationExclude + + requireRequestLimits: + exclude: + names: + - "*-target-allocator-targetallocator-*"