feat: create kustomizations for every policy group

Signed-off-by: xyhhx <xyhhx@tuta.io>
kyverno · Jan 3, 2025 · f8d1a19 · f8d1a19
1 parent 66433cd
commit f8d1a19
Show file tree

Hide file tree

Showing 44 changed files with 695 additions and 0 deletions.
diff --git a/argo-cel/kustomization.yaml b/argo-cel/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./application-field-validation/application-field-validation.yaml
+  - ./application-prevent-default-project/application-prevent-default-project.yaml
+  - ./application-prevent-updates-project/application-prevent-updates-project.yaml
+  - ./applicationset-name-matches-project/applicationset-name-matches-project.yaml
+  - ./appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
diff --git a/argo/kustomization.yaml b/argo/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./application-field-validation/application-field-validation.yaml
+  - ./application-prevent-default-project/application-prevent-default-project.yaml
+  - ./application-prevent-updates-project/application-prevent-updates-project.yaml
+  - ./applicationset-name-matches-project/applicationset-name-matches-project.yaml
+  - ./appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml
+  - ./argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml
diff --git a/aws-cel/kustomization.yaml b/aws-cel/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
diff --git a/aws/kustomization.yaml b/aws/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./require-aws-node-irsa/require-aws-node-irsa.yaml
+  - ./require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml
diff --git a/best-practices-cel/kustomization.yaml b/best-practices-cel/kustomization.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./check-deprecated-apis/check-deprecated-apis.yaml
+  - ./disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
+  - ./disallow-default-namespace/disallow-default-namespace.yaml
+  - ./disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
+  - ./disallow-helm-tiller/disallow-helm-tiller.yaml
+  - ./disallow-latest-tag/disallow-latest-tag.yaml
+  - ./require-drop-all/require-drop-all.yaml
+  - ./require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
+  - ./require-labels/require-labels.yaml
+  - ./require-pod-requests-limits/require-pod-requests-limits.yaml
+  - ./require-probes/require-probes.yaml
+  - ./require-ro-rootfs/require-ro-rootfs.yaml
+  - ./restrict-image-registries/restrict-image-registries.yaml
+  - ./restrict-node-port/restrict-node-port.yaml
+  - ./restrict-service-external-ips/restrict-service-external-ips.yaml
diff --git a/best-practices/kustomization.yaml b/best-practices/kustomization.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-network-policy/add-network-policy.yaml
+  - ./add-networkpolicy-dns/add-networkpolicy-dns.yaml
+  - ./add-ns-quota/add-ns-quota.yaml
+  - ./add-rolebinding/add-rolebinding.yaml
+  - ./add-safe-to-evict/add-safe-to-evict.yaml
+  - ./check-deprecated-apis/check-deprecated-apis.yaml
+  - ./disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
+  - ./disallow-default-namespace/disallow-default-namespace.yaml
+  - ./disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
+  - ./disallow-helm-tiller/disallow-helm-tiller.yaml
+  - ./disallow-latest-tag/disallow-latest-tag.yaml
+  - ./require-drop-all/require-drop-all.yaml
+  - ./require-drop-cap-net-raw/require-drop-cap-net-raw.yaml
+  - ./require-labels/require-labels.yaml
+  - ./require-pod-requests-limits/require-pod-requests-limits.yaml
+  - ./require-probes/require-probes.yaml
+  - ./require-ro-rootfs/require-ro-rootfs.yaml
+  - ./restrict-image-registries/restrict-image-registries.yaml
+  - ./restrict-node-port/restrict-node-port.yaml
+  - ./restrict-service-external-ips/restrict-service-external-ips.yaml
diff --git a/castai/kustomization.yaml b/castai/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-castai-removal-disabled/add-castai-removal-disabled.yaml
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./limit-dnsnames/limit-dnsnames.yaml
+  - ./limit-duration/limit-duration.yaml
+  - ./restrict-issuer/restrict-issuer.yaml
diff --git a/cleanup/kustomization.yaml b/cleanup/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./cleanup-bare-pods/cleanup-bare-pods.yaml
+  - ./cleanup-empty-replicasets/cleanup-empty-replicasets.yaml
diff --git a/consul-cel/kustomization.yaml b/consul-cel/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./enforce-min-tls-version/enforce-min-tls-version.yaml
diff --git a/consul/kustomization.yaml b/consul/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./enforce-min-tls-version/enforce-min-tls-version.yaml
diff --git a/external-secret-operator/kustomization.yaml b/external-secret-operator/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-external-secret-prefix/add-external-secret-prefix.yaml
diff --git a/flux-cel/kustomization.yaml b/flux-cel/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./verify-flux-sources/verify-flux-sources.yaml
+  - ./verify-git-repositories/verify-git-repositories.yaml
diff --git a/flux/kustomization.yaml b/flux/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources.yaml
+  - ./verify-flux-images/verify-flux-images.yaml
+  - ./verify-flux-sources/verify-flux-sources.yaml
+  - ./verify-git-repositories/verify-git-repositories.yaml
diff --git a/gen-kustomization.sh b/gen-kustomization.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -xeuo pipefail
+for dir in ./*/; do
+    dir=${dir%*/}
+  if [[ -d "${dir}" && ! -L "${dir}" ]]; then
+    pushd "${dir}"
+    if [ ! -f ./kustomization.yaml ]; then
+      cat << 'EOF' > ./kustomization.yaml
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+EOF
+      ls -d */ -1 | sed 's/\(.*\)\//  - .\/\1\/\1.yaml/' >> ./kustomization.yaml
+    fi
+    popd
+  fi
+done
diff --git a/istio-cel/kustomization.yaml b/istio-cel/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
+  - ./enforce-strict-mtls/enforce-strict-mtls.yaml
+  - ./prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml
diff --git a/istio/kustomization.yaml b/istio/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-ambient-mode-namespace/add-ambient-mode-namespace.yaml
+  - ./add-sidecar-injection-namespace/add-sidecar-injection-namespace.yaml
+  - ./create-authorizationpolicy/create-authorizationpolicy.yaml
+  - ./enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml
+  - ./enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
+  - ./enforce-strict-mtls/enforce-strict-mtls.yaml
+  - ./enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml
+  - ./prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml
+  - ./require-authorizationpolicy/require-authorizationpolicy.yaml
+  - ./restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml
+  - ./service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml
+  - ./service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml
diff --git a/karpenter/kustomization.yaml b/karpenter/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-karpenter-daemonset-priority-class/add-karpenter-daemonset-priority-class.yaml
+  - ./add-karpenter-donot-evict/add-karpenter-donot-evict.yaml
+  - ./add-karpenter-nodeselector/add-karpenter-nodeselector.yaml
+  - ./set-karpenter-non-cpu-limits/set-karpenter-non-cpu-limits.yaml
diff --git a/kasten-cel/kustomization.yaml b/kasten-cel/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./k10-data-protection-by-label/k10-data-protection-by-label.yaml
+  - ./k10-hourly-rpo/k10-hourly-rpo.yaml
+  - ./k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml
diff --git a/kasten/kustomization.yaml b/kasten/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./kasten-3-2-1-backup/kasten-3-2-1-backup.yaml
+  - ./kasten-data-protection-by-label/kasten-data-protection-by-label.yaml
+  - ./kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml
+  - ./kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml
+  - ./kasten-hourly-rpo/kasten-hourly-rpo.yaml
+  - ./kasten-immutable-location-profile/kasten-immutable-location-profile.yaml
+  - ./kasten-minimum-retention/kasten-minimum-retention.yaml
+  - ./kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml
diff --git a/kubecost-cel/kustomization.yaml b/kubecost-cel/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./require-kubecost-labels/require-kubecost-labels.yaml
diff --git a/kubecost/kustomization.yaml b/kubecost/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./enable-kubecost-continuous-rightsizing/enable-kubecost-continuous-rightsizing.yaml
+  - ./kubecost-proactive-cost-control/kubecost-proactive-cost-control.yaml
+  - ./require-kubecost-labels/require-kubecost-labels.yaml
diff --git a/kubeops/kustomization.yaml b/kubeops/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml
diff --git a/kubevirt/kustomization.yaml b/kubevirt/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-services/add-services.yaml
+  - ./enforce-instancetype/enforce-instancetype.yaml
diff --git a/linkerd-cel/kustomization.yaml b/linkerd-cel/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
+  - ./prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
+  - ./require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
diff --git a/linkerd/kustomization.yaml b/linkerd/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./add-linkerd-mesh-injection/add-linkerd-mesh-injection.yaml
+  - ./add-linkerd-policy-annotation/add-linkerd-policy-annotation.yaml
+  - ./check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml
+  - ./prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
+  - ./prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml
+  - ./require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml
+  - ./require-linkerd-server/require-linkerd-server.yaml
diff --git a/nginx-ingress-cel/kustomization.yaml b/nginx-ingress-cel/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
+  - ./restrict-annotations/restrict-annotations.yaml
+  - ./restrict-ingress-paths/restrict-ingress-paths.yaml
diff --git a/nginx-ingress/kustomization.yaml b/nginx-ingress/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml
+  - ./restrict-annotations/restrict-annotations.yaml
+  - ./restrict-ingress-paths/restrict-ingress-paths.yaml
diff --git a/openshift-cel/kustomization.yaml b/openshift-cel/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./check-routes/check-routes.yaml
+  - ./disallow-deprecated-apis/disallow-deprecated-apis.yaml
+  - ./disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml
+  - ./disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml
+  - ./enforce-etcd-encryption/enforce-etcd-encryption.yaml
diff --git a/openshift/kustomization.yaml b/openshift/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./check-routes/check-routes.yaml
+  - ./disallow-deprecated-apis/disallow-deprecated-apis.yaml
+  - ./disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml
+  - ./disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml
+  - ./disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml
+  - ./enforce-etcd-encryption/enforce-etcd-encryption.yaml
+  - ./inject-infrastructurename/inject-infrastructurename.yaml
+  - ./team-validate-ns-name/team-validate-ns-name.yaml
+  - ./unique-routes/unique-routes.yaml