Install Kyverno and all Pod security policies

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
2021-05-20 09:40:15 +01:00 · 2021-05-20 09:40:15 +01:00 · 26d4e7d887
commit 26d4e7d887
parent 85c943ffc2
4 changed files with 55 additions and 0 deletions
--- a/devel/BUILD.bazel
+++ b/devel/BUILD.bazel
@ -12,6 +12,7 @@ filegroup(
        "//devel/addon/bind:all-srcs",
        "//devel/addon/certmanager:all-srcs",
        "//devel/addon/ingressnginx:all-srcs",
+        "//devel/addon/kyverno:all-srcs",
        "//devel/addon/pebble:all-srcs",
        "//devel/addon/sample-external-issuer:all-srcs",
        "//devel/addon/samplewebhook:all-srcs",
--- a/devel/addon/kyverno/BUILD.bazel
+++ b/devel/addon/kyverno/BUILD.bazel
@ -0,0 +1,15 @@
+load("@io_bazel_rules_docker//container:bundle.bzl", "container_bundle")
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/devel/addon/kyverno/install.sh
+++ b/devel/addon/kyverno/install.sh
@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Installs an instance of Kyverno with all Pod security policies enabled.
+# * https://kyverno.io/policies/pod-security/
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")
+source "${SCRIPT_ROOT}/../../lib/lib.sh"
+
+check_tool kubectl
+check_tool helm
+check_tool kustomize
+
+# Install latest version of Kyverno
+helm repo add kyverno https://kyverno.github.io/kyverno/
+helm repo update
+helm upgrade --install --wait kyverno kyverno/kyverno --namespace kyverno --create-namespace
+# Install all Pod security policies
+kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -
--- a/devel/setup-e2e-deps.sh
+++ b/devel/setup-e2e-deps.sh
@ -31,6 +31,9 @@ source "${SCRIPT_ROOT}/lib/lib.sh"
 # Configure PATH to use bazel provided e2e tools
 setup_tools

+echo "Installing kyverno into cluster..."
+"${SCRIPT_ROOT}/addon/kyverno/install.sh" 
+
 echo "Installing cert-manager into the cluster..."
 "${SCRIPT_ROOT}/addon/certmanager/install.sh"