├── .gitignore ├── .sourceignore ├── LICENSE ├── README.md ├── apps ├── base │ └── podinfo │ │ ├── deployment.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── service.yaml ├── production │ └── kustomization.yaml └── staging │ └── kustomization.yaml ├── clusters ├── production │ ├── apps.yaml │ ├── flux-system │ │ ├── gotk-components.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml │ └── infrastructure.yaml └── staging │ ├── apps.yaml │ ├── flux-system │ ├── gotk-components.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml │ └── infrastructure.yaml ├── infrastructure ├── configs │ ├── image-digest.yaml │ └── securitycontext.yaml └── controllers │ ├── kyverno.yaml │ └── weave-gitops.yaml └── scripts └── validate.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, built with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | 14 | # Dependency directories (remove the comment below to include it) 15 | # vendor/ 16 | -------------------------------------------------------------------------------- /.sourceignore: -------------------------------------------------------------------------------- 1 | # Flux ignore 2 | # https://fluxcd.io/flux/components/source/gitrepositories/#excluding-files 3 | 4 | # Exclude all 5 | /* 6 | 7 | # Include manifest directories 8 | !/apps/ 9 | !/clusters/ 10 | !/infrastructure/ 11 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gitops-kyverno 2 | 3 | Kubernetes' policy managed with Flux and Kyverno 4 | 5 | ## Prerequisites 6 | 7 | You will need a Kubernetes cluster version 1.21 or newer. 8 | For a quick local test, you can use [Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start/). 9 | Any other Kubernetes setup will work as well though. 10 | 11 | In order to follow the guide you'll need a GitHub account and a 12 | [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) 13 | that can create repositories (check all permissions under `repo`). 14 | 15 | Install the Flux CLI on MacOS or Linux using Homebrew: 16 | 17 | ```sh 18 | brew install fluxcd/tap/flux 19 | ``` 20 | 21 | ## Repository structure 22 | 23 | The Git repository contains the following top directories: 24 | 25 | - **apps** dir contains a demo app (podinfo) and its configuration for each environment 26 | - **infrastructure** dir contains common infra tools such as Kyverno and its cluster policies 27 | - **clusters** dir contains the Flux configuration per cluster 28 | 29 | ``` 30 | ├── apps 31 | │   ├── base 32 | │   ├── production 33 | │   └── staging 34 | ├── infrastructure 35 | │   ├── configs 36 | │   └── controllers 37 | └── clusters 38 | ├── production 39 | └── staging 40 | ``` 41 | 42 | ## Bootstrap the staging cluster 43 | 44 | Create a cluster named staging with kind: 45 | 46 | ```shell 47 | kind create cluster --name staging 48 | ``` 49 | 50 | Fork this repository on your personal GitHub account and export your GitHub access token, username and repo name: 51 | 52 | ```sh 53 | export GITHUB_TOKEN= 54 | export GITHUB_USER= 55 | ``` 56 | 57 | Set the kubectl context to your staging cluster and bootstrap Flux: 58 | 59 | ```sh 60 | flux bootstrap github \ 61 | --context=kind-staging \ 62 | --owner=${GITHUB_USER} \ 63 | --repository=gitops-kyverno \ 64 | --branch=main \ 65 | --personal \ 66 | --path=clusters/staging 67 | ``` 68 | 69 | The bootstrap command commits the manifests for the Flux components in `clusters/staging/flux-system` dir 70 | and creates a deploy key with read-only access on GitHub, so it can pull changes inside the cluster. 71 | 72 | Wait for Flux to install the controllers and the demo app with: 73 | 74 | ```shell 75 | watch flux get kustomizations 76 | ``` 77 | 78 | ## Access the Flux UI 79 | 80 | To access the Flux UI on a cluster, first start port forwarding with: 81 | 82 | ```sh 83 | kubectl -n flux-system port-forward svc/weave-gitops 9001:9001 84 | ``` 85 | 86 | Navigate to `http://localhost:9001` and login using the username `admin` and the password `flux`. 87 | 88 | [Weave GitOps](https://docs.gitops.weave.works/) provides insights into your application deployments, 89 | and makes continuous delivery with Flux easier to adopt and scale across your teams. 90 | The GUI provides a guided experience to build understanding and simplify getting started for new users; 91 | they can easily discover the relationship between Flux objects and navigate to deeper levels of information as required. 92 | 93 | ## Mutating deployments with Kyverno 94 | 95 | In the `infrastructure/configs` dir there are two Kyverno policies that mutate Kubernetes Deployments to set 96 | a restricted security context and to replace the app container image tag with its digest. 97 | 98 | Even if in Git, the podinfo image is set to `ghcr.io/stefanprodan/podinfo:6.2.3`, the actual 99 | deployment image in-cluster is mutated by Kyverno and the tag is replaced with the image digest. 100 | Same thing with the security context, in Git, podinfo has no such fields, but in-cluster the deployment ends up with: 101 | 102 | ```console 103 | $ kubectl -n podinfo get deployments.apps podinfo -oyaml | yq '.spec.template.spec.containers[0]' 104 | image: ghcr.io/stefanprodan/podinfo@sha256:4a72d3ce7eda670b78baadd8995384db29483dfc76e12f81a24e1fc1256c0a8e 105 | imagePullPolicy: IfNotPresent 106 | name: podinfo 107 | ports: 108 | - containerPort: 9898 109 | name: http 110 | protocol: TCP 111 | securityContext: 112 | allowPrivilegeEscalation: false 113 | capabilities: 114 | drop: 115 | - ALL 116 | readOnlyRootFilesystem: true 117 | runAsNonRoot: true 118 | seccompProfile: 119 | type: RuntimeDefault 120 | ``` 121 | 122 | ## Flux vs Argo drift detection 123 | 124 | If you've been using Argo, and you're switching to Flux, you may expect for Flux to report 125 | the above changes as a drift from Git and reapply the deployment continuously. With Argo, 126 | you must define policies for each field that Kyverno mutates to ignore differences, while 127 | with Flux this is not need. 128 | Flux works with any admission controller as long the mutation also happens at dry-run. 129 | 130 | To test that Flux has included the Kyverno mutations in its "desired state" we can run `flux diff` 131 | and check that no differences are reported: 132 | 133 | ```shell 134 | flux diff kustomization apps --path ./apps/staging/ 135 | ``` 136 | 137 | Now if we change the podinfo image tag in `apps/staging/kustomization.yaml` to `6.3.0` and we run diff: 138 | 139 | ```console 140 | $ flux diff kustomization apps --path ./apps/staging/ 141 | ✓ Kustomization diffing... 142 | ► Deployment/podinfo/podinfo drifted 143 | 144 | metadata.generation 145 | ± value change 146 | - 2 147 | + 3 148 | 149 | spec.template.spec.containers.podinfo.image 150 | ± value change 151 | - ghcr.io/stefanprodan/podinfo@sha256:4a72d3ce7eda670b78baadd8995384db29483dfc76e12f81a24e1fc1256c0a8e 152 | + ghcr.io/stefanprodan/podinfo@sha256:c0d72aa8829a310b998308b8d3f05bde6840c66eaf2862b218f87e21ea5fb275 153 | 154 | ⚠️ identified at least one change, exiting with non-zero exit code 155 | ``` 156 | 157 | We see that Flux detects a drift in the digest, instead of the image tag. Unlike Argo and other tools, 158 | Flux uses Kubernetes server-side apply dry-run to trigger the mutation webhooks, before it runs the 159 | drift detection algorithm. 160 | 161 | With Flux, you don't have to create special rules for each mutation made by admission controllers. 162 | 163 | -------------------------------------------------------------------------------- /apps/base/podinfo/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: podinfo 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: podinfo 9 | template: 10 | metadata: 11 | labels: 12 | app: podinfo 13 | spec: 14 | containers: 15 | - image: ghcr.io/stefanprodan/podinfo:6.3.0 16 | name: podinfo 17 | ports: 18 | - name: http 19 | containerPort: 9898 20 | -------------------------------------------------------------------------------- /apps/base/podinfo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: podinfo 4 | resources: 5 | - namespace.yaml 6 | - service.yaml 7 | - deployment.yaml 8 | -------------------------------------------------------------------------------- /apps/base/podinfo/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: podinfo 5 | labels: 6 | toolkit.fluxcd.io/tenant: dev-team 7 | -------------------------------------------------------------------------------- /apps/base/podinfo/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: podinfo 5 | spec: 6 | type: ClusterIP 7 | ports: 8 | - port: 80 9 | protocol: TCP 10 | targetPort: http 11 | selector: 12 | app: podinfo 13 | -------------------------------------------------------------------------------- /apps/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../base/podinfo 5 | images: 6 | - name: ghcr.io/stefanprodan/podinfo 7 | newTag: 6.2.2 8 | -------------------------------------------------------------------------------- /apps/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../base/podinfo 5 | images: 6 | - name: ghcr.io/stefanprodan/podinfo 7 | newTag: 6.2.3 8 | -------------------------------------------------------------------------------- /clusters/production/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | dependsOn: 10 | - name: infra-configs 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | path: ./apps/production 15 | prune: true 16 | wait: true 17 | timeout: 5m0s 18 | -------------------------------------------------------------------------------- /clusters/production/flux-system/gotk-components.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/production/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/production/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | labels: 7 | - pairs: 8 | toolkit.fluxcd.io/tenant: sre-team 9 | patches: 10 | - patch: | 11 | - op: add 12 | path: /spec/template/spec/containers/0/args/- 13 | value: --concurrent=20 14 | - op: add 15 | path: /spec/template/spec/containers/0/args/- 16 | value: --requeue-dependency=5s 17 | target: 18 | kind: Deployment 19 | name: "(kustomize-controller|helm-controller|source-controller)" 20 | -------------------------------------------------------------------------------- /clusters/production/infrastructure.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: infra-controllers 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | retryInterval: 1m 10 | timeout: 5m 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | path: ./infrastructure/controllers 15 | prune: true 16 | wait: true 17 | patches: 18 | - patch: | 19 | - op: replace 20 | path: /spec/values/replicaCount 21 | value: 2 22 | target: 23 | kind: HelmRelease 24 | name: kyverno 25 | --- 26 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 27 | kind: Kustomization 28 | metadata: 29 | name: infra-configs 30 | namespace: flux-system 31 | spec: 32 | dependsOn: 33 | - name: infra-controllers 34 | interval: 1h 35 | retryInterval: 1m 36 | timeout: 5m 37 | sourceRef: 38 | kind: GitRepository 39 | name: flux-system 40 | path: ./infrastructure/configs 41 | prune: true 42 | -------------------------------------------------------------------------------- /clusters/staging/apps.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 2 | kind: Kustomization 3 | metadata: 4 | name: apps 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | dependsOn: 9 | - name: infra-configs 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | path: ./apps/staging 14 | prune: true 15 | wait: true 16 | timeout: 5m0s 17 | -------------------------------------------------------------------------------- /clusters/staging/flux-system/gotk-components.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/staging/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/staging/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | labels: 7 | - pairs: 8 | toolkit.fluxcd.io/tenant: sre-team 9 | patches: 10 | - patch: | 11 | - op: add 12 | path: /spec/template/spec/containers/0/args/- 13 | value: --concurrent=20 14 | - op: add 15 | path: /spec/template/spec/containers/0/args/- 16 | value: --requeue-dependency=5s 17 | target: 18 | kind: Deployment 19 | name: "(kustomize-controller|helm-controller|source-controller)" 20 | -------------------------------------------------------------------------------- /clusters/staging/infrastructure.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: infra-controllers 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | retryInterval: 1m 10 | timeout: 5m 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | path: ./infrastructure/controllers 15 | prune: true 16 | wait: true 17 | patches: 18 | - patch: | 19 | - op: replace 20 | path: /spec/values/replicaCount 21 | value: 1 22 | target: 23 | kind: HelmRelease 24 | name: kyverno 25 | --- 26 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 27 | kind: Kustomization 28 | metadata: 29 | name: infra-configs 30 | namespace: flux-system 31 | spec: 32 | dependsOn: 33 | - name: infra-controllers 34 | interval: 1h 35 | retryInterval: 1m 36 | timeout: 5m 37 | sourceRef: 38 | kind: GitRepository 39 | name: flux-system 40 | path: ./infrastructure/configs 41 | prune: true 42 | 43 | -------------------------------------------------------------------------------- /infrastructure/configs/image-digest.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: resolve-image-to-digest 5 | annotations: 6 | policies.kyverno.io/title: Resolve Image to Digest 7 | policies.kyverno.io/category: PSP 8 | policies.kyverno.io/subject: Deployment 9 | policies.kyverno.io/description: >- 10 | This policy resolves the image digest of each image in a container and replaces 11 | the image with the fully resolved reference which includes the digest rather than tag. 12 | spec: 13 | background: false 14 | rules: 15 | - name: resolve-to-digest 16 | match: 17 | resources: 18 | kinds: 19 | - Deployment 20 | namespaceSelector: 21 | matchExpressions: 22 | - key: toolkit.fluxcd.io/tenant 23 | operator: In 24 | values: 25 | - dev-team 26 | preconditions: 27 | all: 28 | - key: "{{request.operation || 'BACKGROUND'}}" 29 | operator: NotEquals 30 | value: DELETE 31 | mutate: 32 | foreach: 33 | - list: "request.object.spec.template.spec.containers" 34 | context: 35 | - name: resolvedRef 36 | imageRegistry: 37 | reference: "{{ element.image }}" 38 | jmesPath: "resolvedImage" 39 | patchStrategicMerge: 40 | spec: 41 | template: 42 | spec: 43 | containers: 44 | - name: "{{ element.name }}" 45 | image: "{{ resolvedRef }}" 46 | -------------------------------------------------------------------------------- /infrastructure/configs/securitycontext.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-default-securitycontext 5 | annotations: 6 | policies.kyverno.io/title: Add Default securityContext 7 | policies.kyverno.io/category: PSP 8 | policies.kyverno.io/subject: Deployment 9 | policies.kyverno.io/description: >- 10 | This policy will mutate a Deployment to set a restricted securityContext for the pod and containers 11 | if they are not already set. 12 | spec: 13 | rules: 14 | - name: add-default-securitycontext 15 | match: 16 | resources: 17 | kinds: 18 | - Deployment 19 | namespaceSelector: 20 | matchExpressions: 21 | - key: toolkit.fluxcd.io/tenant 22 | operator: In 23 | values: 24 | - dev-team 25 | mutate: 26 | patchStrategicMerge: 27 | spec: 28 | template: 29 | spec: 30 | securityContext: 31 | +(runAsNonRoot): true 32 | +(runAsUser): 1000 33 | +(runAsGroup): 3000 34 | +(fsGroup): 1337 35 | containers: 36 | - (name): "*" 37 | securityContext: 38 | +(allowPrivilegeEscalation): false 39 | +(readOnlyRootFilesystem): true 40 | +(runAsNonRoot): true 41 | +(capabilities): 42 | drop: [ "ALL" ] 43 | +(seccompProfile): 44 | type: RuntimeDefault 45 | -------------------------------------------------------------------------------- /infrastructure/controllers/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kyverno 6 | labels: 7 | toolkit.fluxcd.io/tenant: sre-team 8 | --- 9 | apiVersion: source.toolkit.fluxcd.io/v1beta2 10 | kind: HelmRepository 11 | metadata: 12 | name: kyverno 13 | namespace: flux-system 14 | spec: 15 | interval: 24h 16 | url: oci://ghcr.io/kyverno/charts 17 | type: oci 18 | --- 19 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 20 | kind: HelmRelease 21 | metadata: 22 | name: kyverno 23 | namespace: flux-system 24 | spec: 25 | interval: 6h 26 | releaseName: kyverno 27 | targetNamespace: kyverno 28 | chart: 29 | spec: 30 | chart: kyverno 31 | version: 2.x 32 | interval: 24h 33 | sourceRef: 34 | kind: HelmRepository 35 | name: kyverno 36 | values: 37 | replicaCount: 2 38 | -------------------------------------------------------------------------------- /infrastructure/controllers/weave-gitops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: weave-gitops 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 60m0s 10 | url: oci://ghcr.io/weaveworks/charts 11 | --- 12 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 13 | kind: HelmRelease 14 | metadata: 15 | name: weave-gitops 16 | namespace: flux-system 17 | spec: 18 | interval: 60m 19 | chart: 20 | spec: 21 | chart: weave-gitops 22 | version: "*" 23 | sourceRef: 24 | kind: HelmRepository 25 | name: weave-gitops 26 | interval: 12h 27 | # https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/values.yaml 28 | values: 29 | resources: 30 | requests: 31 | cpu: 100m 32 | memory: 64Mi 33 | limits: 34 | cpu: 1 35 | memory: 512Mi 36 | securityContext: 37 | capabilities: 38 | drop: 39 | - ALL 40 | readOnlyRootFilesystem: true 41 | runAsNonRoot: true 42 | runAsUser: 1000 43 | adminUser: 44 | create: true 45 | username: admin 46 | # Change password by generating a new hash with: 47 | # https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-a-cluster-user-account 48 | # bcrypt hash for password "flux" 49 | passwordHash: "$2a$10$P/tHQ1DNFXdvX0zRGA8LPeSOyb0JXq9rP3fZ4W8HGTpLV7qHDlWhe" 50 | -------------------------------------------------------------------------------- /scripts/validate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script downloads the Flux OpenAPI schemas, then it validates the 4 | # Flux custom resources and the kustomize overlays using kubeconform. 5 | # This script is meant to be run locally and in CI before the changes 6 | # are merged on the main branch that's synced by Flux. 7 | 8 | # Copyright 2022 The Flux authors. All rights reserved. 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Unless required by applicable law or agreed to in writing, software 17 | # distributed under the License is distributed on an "AS IS" BASIS, 18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | # See the License for the specific language governing permissions and 20 | # limitations under the License. 21 | 22 | # This script is meant to be run locally and in CI to validate the Kubernetes 23 | # manifests (including Flux custom resources) before changes are merged into 24 | # the branch synced by Flux in-cluster. 25 | 26 | # Prerequisites 27 | # - yq v4.30 28 | # - kustomize v4.5 29 | # - kubeconform v0.5.0 30 | 31 | set -o errexit 32 | 33 | echo "INFO - Downloading Flux OpenAPI schemas" 34 | mkdir -p /tmp/flux-crd-schemas/master-standalone-strict 35 | curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict 36 | 37 | find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 38 | do 39 | echo "INFO - Validating $file" 40 | yq e 'true' "$file" > /dev/null 41 | done 42 | 43 | kubeconform_config=("-strict" "-ignore-missing-schemas" "-schema-location" "default" "-schema-location" "/tmp/flux-crd-schemas" "-verbose") 44 | 45 | echo "INFO - Validating clusters" 46 | find ./clusters -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 47 | do 48 | kubeconform "${kubeconform_config[@]}" "${file}" 49 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 50 | exit 1 51 | fi 52 | done 53 | 54 | # mirror kustomize-controller build options 55 | kustomize_flags=("--load-restrictor=LoadRestrictionsNone") 56 | kustomize_config="kustomization.yaml" 57 | 58 | echo "INFO - Validating kustomize overlays" 59 | find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 60 | do 61 | echo "INFO - Validating kustomization ${file/%$kustomize_config}" 62 | kustomize build "${file/%$kustomize_config}" "${kustomize_flags[@]}" | \ 63 | kubeconform "${kubeconform_config[@]}" 64 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 65 | exit 1 66 | fi 67 | done 68 | --------------------------------------------------------------------------------