feat: Add support for kyverno addon including reporter UI and baseline policies (#910)

Author: zeagord

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
       - id: detect-aws-credentials
         args: ['--allow-missing-credentials']
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1
+    rev: v1.75.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

docs/add-ons/kyverno.md

@@ -0,0 +1,36 @@
+# Kyverno
+
+Kyverno is a policy engine that can help kubernetes clusters to enforce security and governance policies.
+
+This addon provides support for:
+1. [Kyverno](https://github.com/kyverno/kyverno/tree/main/charts/kyverno)
+2. [Kyverno policies](https://github.com/kyverno/kyverno/tree/main/charts/kyverno-policies)
+3. [Kyverno policy reporter](https://github.com/kyverno/policy-reporter/tree/main/charts/policy-reporter)
+
+## Usage
+
+Kyverno can be deployed by enabling the respective add-on(s) via the following.
+
+```hcl
+enable_kyverno                 = true
+enable_kyverno_policies        = true
+enable_kyverno_policy_reporter = true
+```
+
+### GitOps Configuration
+
+The following properties are made available for use when managing the add-on via GitOps.
+
+```sh
+kyverno = {
+  enable = true
+}
+
+kyverno_policies = {
+  enable = true
+}
+
+kyverno_policy_reporter = {
+  enable = true
+}
+```

examples/complete-kubernetes-addons/main.tf

@@ -235,6 +235,10 @@ module "eks_blueprints_kubernetes_addons" {
     EOF
   }
 
+  enable_kyverno                 = true
+  enable_kyverno_policies        = true
+  enable_kyverno_policy_reporter = true
+
   tags = local.tags
 }
 

modules/kubernetes-addons/README.md

@@ -58,6 +58,7 @@
 | <a name="module_kubecost"></a> [kubecost](#module\_kubecost) | ./kubecost | n/a |
 | <a name="module_kuberay_operator"></a> [kuberay\_operator](#module\_kuberay\_operator) | ./kuberay-operator | n/a |
 | <a name="module_kubernetes_dashboard"></a> [kubernetes\_dashboard](#module\_kubernetes\_dashboard) | ./kubernetes-dashboard | n/a |
+| <a name="module_kyverno"></a> [kyverno](#module\_kyverno) | ./kyverno | n/a |
 | <a name="module_local_volume_provisioner"></a> [local\_volume\_provisioner](#module\_local\_volume\_provisioner) | ./local-volume-provisioner | n/a |
 | <a name="module_metrics_server"></a> [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a |
 | <a name="module_ondat"></a> [ondat](#module\_ondat) | ondat/ondat-addon/eksblueprints | 0.1.1 |
@@ -190,6 +191,9 @@
 | <a name="input_enable_kubecost"></a> [enable\_kubecost](#input\_enable\_kubecost) | Enable Kubecost add-on | `bool` | `false` | no |
 | <a name="input_enable_kuberay_operator"></a> [enable\_kuberay\_operator](#input\_enable\_kuberay\_operator) | Enable KubeRay Operator add-on | `bool` | `false` | no |
 | <a name="input_enable_kubernetes_dashboard"></a> [enable\_kubernetes\_dashboard](#input\_enable\_kubernetes\_dashboard) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no |
+| <a name="input_enable_kyverno"></a> [enable\_kyverno](#input\_enable\_kyverno) | Enable Kyverno add-on | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policies"></a> [enable\_kyverno\_policies](#input\_enable\_kyverno\_policies) | Enable Kyverno policies. Requires `enable_kyverno` to be `true` | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policy_reporter"></a> [enable\_kyverno\_policy\_reporter](#input\_enable\_kyverno\_policy\_reporter) | Enable Kyverno UI. Requires `enable_kyverno` to be `true` | `bool` | `false` | no |
 | <a name="input_enable_local_volume_provisioner"></a> [enable\_local\_volume\_provisioner](#input\_enable\_local\_volume\_provisioner) | Enable Local volume provisioner add-on | `bool` | `false` | no |
 | <a name="input_enable_metrics_server"></a> [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no |
 | <a name="input_enable_ondat"></a> [enable\_ondat](#input\_enable\_ondat) | Enable Ondat add-on | `bool` | `false` | no |
@@ -234,6 +238,9 @@
 | <a name="input_kubecost_helm_config"></a> [kubecost\_helm\_config](#input\_kubecost\_helm\_config) | Kubecost Helm Chart config | `any` | `{}` | no |
 | <a name="input_kuberay_operator_helm_config"></a> [kuberay\_operator\_helm\_config](#input\_kuberay\_operator\_helm\_config) | KubeRay Operator Helm Chart config | `any` | `{}` | no |
 | <a name="input_kubernetes_dashboard_helm_config"></a> [kubernetes\_dashboard\_helm\_config](#input\_kubernetes\_dashboard\_helm\_config) | Kubernetes Dashboard Helm Chart config | `any` | `null` | no |
+| <a name="input_kyverno_helm_config"></a> [kyverno\_helm\_config](#input\_kyverno\_helm\_config) | Kyverno Helm Chart config | `any` | `{}` | no |
+| <a name="input_kyverno_policies_helm_config"></a> [kyverno\_policies\_helm\_config](#input\_kyverno\_policies\_helm\_config) | Kyverno policies Helm Chart config | `any` | `{}` | no |
+| <a name="input_kyverno_policy_reporter_helm_config"></a> [kyverno\_policy\_reporter\_helm\_config](#input\_kyverno\_policy\_reporter\_helm\_config) | Kyverno UI Helm Chart config | `any` | `{}` | no |
 | <a name="input_local_volume_provisioner_helm_config"></a> [local\_volume\_provisioner\_helm\_config](#input\_local\_volume\_provisioner\_helm\_config) | Local volume provisioner Helm Chart config | `any` | `{}` | no |
 | <a name="input_metrics_server_helm_config"></a> [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no |
 | <a name="input_ondat_admin_password"></a> [ondat\_admin\_password](#input\_ondat\_admin\_password) | Password for Ondat admin user | `string` | `"storageos"` | no |

modules/kubernetes-addons/kyverno/README.md

@@ -0,0 +1,49 @@
+# Kyverno
+
+Kyverno is a policy engine that can help kubernetes clusters to enforce security and governance policies.
+
+This addon provides support for:
+1. [Kyverno](https://github.com/kyverno/kyverno/tree/main/charts/kyverno)
+2. [Kyverno policies](https://github.com/kyverno/kyverno/tree/main/charts/kyverno-policies)
+3. [Kyverno policy reporter](https://github.com/kyverno/policy-reporter/tree/main/charts/policy-reporter)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kyverno_helm_addon"></a> [kyverno\_helm\_addon](#module\_kyverno\_helm\_addon) | ../helm-addon | n/a |
+| <a name="module_kyverno_policies_helm_addon"></a> [kyverno\_policies\_helm\_addon](#module\_kyverno\_policies\_helm\_addon) | ../helm-addon | n/a |
+| <a name="module_kyverno_policy_reporter_helm_addon"></a> [kyverno\_policy\_reporter\_helm\_addon](#module\_kyverno\_policy\_reporter\_helm\_addon) | ../helm-addon | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_kyverno"></a> [enable\_kyverno](#input\_enable\_kyverno) | Enable Kyverno | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policies"></a> [enable\_kyverno\_policies](#input\_enable\_kyverno\_policies) | Enable Kyverno policies. Requires `enable_kyverno` to be `true` | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policy_reporter"></a> [enable\_kyverno\_policy\_reporter](#input\_enable\_kyverno\_policy\_reporter) | Enable Kyverno UI. Requires `enable_kyverno` to be `true` | `bool` | `false` | no |
+| <a name="input_kyverno_helm_config"></a> [kyverno\_helm\_config](#input\_kyverno\_helm\_config) | Helm provider config for the Kyverno | `any` | `{}` | no |
+| <a name="input_kyverno_policies_helm_config"></a> [kyverno\_policies\_helm\_config](#input\_kyverno\_policies\_helm\_config) | Helm provider config for the Kyverno baseline policies | `any` | `{}` | no |
+| <a name="input_kyverno_policy_reporter_helm_config"></a> [kyverno\_policy\_reporter\_helm\_config](#input\_kyverno\_policy\_reporter\_helm\_config) | Helm provider config for the Kyverno policy reporter UI | `any` | `{}` | no |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/kubernetes-addons/kyverno/main.tf

@@ -0,0 +1,72 @@
+module "kyverno_helm_addon" {
+  source = "../helm-addon"
+
+  manage_via_gitops = var.manage_via_gitops
+  helm_config = merge(
+    {
+      name             = "kyverno"
+      chart            = "kyverno"
+      repository       = "https://kyverno.github.io/kyverno/"
+      version          = "v2.5.3"
+      namespace        = "kyverno"
+      create_namespace = true
+      description      = "Kubernetes Native Policy Management"
+      values = [
+        <<-EOT
+          replicaCount: 3
+        EOT
+      ]
+    },
+    var.kyverno_helm_config
+  )
+
+  addon_context = var.addon_context
+}
+
+module "kyverno_policies_helm_addon" {
+  source = "../helm-addon"
+
+  count = var.enable_kyverno_policies ? 1 : 0
+
+  manage_via_gitops = var.manage_via_gitops
+  helm_config = merge(
+    {
+      name        = "kyverno-policies"
+      chart       = "kyverno-policies"
+      repository  = "https://kyverno.github.io/kyverno/"
+      version     = "v2.5.5"
+      namespace   = module.kyverno_helm_addon.helm_release[0].namespace
+      description = "Kubernetes Pod Security Standards implemented as Kyverno policies"
+      values = [
+        <<-EOT
+          podSecurityStandard: restricted
+        EOT
+
+      ]
+    },
+    var.kyverno_policies_helm_config
+  )
+
+  addon_context = var.addon_context
+}
+
+module "kyverno_policy_reporter_helm_addon" {
+  source = "../helm-addon"
+
+  count = var.enable_kyverno_policy_reporter ? 1 : 0
+
+  manage_via_gitops = var.manage_via_gitops
+  helm_config = merge(
+    {
+      name        = "policy-reporter"
+      chart       = "policy-reporter"
+      repository  = "https://kyverno.github.io/policy-reporter"
+      version     = "2.13.0"
+      namespace   = module.kyverno_helm_addon.helm_release[0].namespace
+      description = "Policy Reporter watches for PolicyReport Resources"
+    },
+    var.kyverno_policy_reporter_helm_config
+  )
+
+  addon_context = var.addon_context
+}

modules/kubernetes-addons/kyverno/outputs.tf

@@ -0,0 +1,56 @@
+variable "kyverno_helm_config" {
+  description = "Helm provider config for the Kyverno"
+  type        = any
+  default     = {}
+}
+
+variable "kyverno_policies_helm_config" {
+  description = "Helm provider config for the Kyverno baseline policies"
+  type        = any
+  default     = {}
+}
+
+variable "kyverno_policy_reporter_helm_config" {
+  description = "Helm provider config for the Kyverno policy reporter UI"
+  type        = any
+  default     = {}
+}
+
+variable "enable_kyverno" {
+  description = "Enable Kyverno"
+  default     = false
+  type        = bool
+}
+
+variable "enable_kyverno_policies" {
+  description = "Enable Kyverno policies. Requires `enable_kyverno` to be `true`"
+  type        = bool
+  default     = false
+}
+
+variable "enable_kyverno_policy_reporter" {
+  description = "Enable Kyverno UI. Requires `enable_kyverno` to be `true`"
+  type        = bool
+  default     = false
+}
+
+variable "manage_via_gitops" {
+  description = "Determines if the add-on should be managed via GitOps."
+  type        = bool
+  default     = false
+}
+
+variable "addon_context" {
+  description = "Input configuration for the addon"
+  type = object({
+    aws_caller_identity_account_id = string
+    aws_caller_identity_arn        = string
+    aws_eks_cluster_endpoint       = string
+    aws_partition_id               = string
+    aws_region_name                = string
+    eks_cluster_id                 = string
+    eks_oidc_issuer_url            = string
+    eks_oidc_provider_arn          = string
+    tags                           = map(string)
+  })
+}

modules/kubernetes-addons/kyverno/variables.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.0.0"
+}

modules/kubernetes-addons/kyverno/versions.tf

@@ -40,6 +40,9 @@ locals {
     chaos_mesh                = var.enable_chaos_mesh ? module.chaos_mesh[0].argocd_gitops_config : null
     cilium                    = var.enable_cilium ? module.cilium[0].argocd_gitops_config : null
     gatekeeper                = var.enable_gatekeeper ? module.gatekeeper[0].argocd_gitops_config : null
+    kyverno                   = var.enable_kyverno ? { enable = true } : null
+    kyverno_policies          = var.enable_kyverno ? { enable = true } : null
+    kyverno_policy_reporter   = var.enable_kyverno ? { enable = true } : null
   }
 
   addon_context = {