Add Kyverno support
Tasks to be done:
-
Drop OPA integration from cern-magnum -
Finalize the integration of kyverno as an addon/cern-magnum -
Setup the policies we want to make available in our clusters - With a dedicated doc page under our Security section
- Enable/disable option for users
-
Sample policies - Standard enforcement (must have resources, selinux, must have …, mandatory labels, …)
- Must rely on ‘registry.cern.ch’ for all images
- Mutating: convert non prefixed or
docker.ioorregistry.k8s.ioto prefix withregistry.cern.ch/<proxycache>/…
-
Once done and all set in the docs, reach out for discussion with security team to see how they should be enforced
Edited by Ankur Kothiwal