From 26d4e7d887514df63a0082403bbf823e72d4fb5f Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@jetstack.io>
Date: Thu, 20 May 2021 09:40:15 +0100
Subject: [PATCH] Install Kyverno and all Pod security policies

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
---
 devel/BUILD.bazel               |  1 +
 devel/addon/kyverno/BUILD.bazel | 15 ++++++++++++++
 devel/addon/kyverno/install.sh  | 36 +++++++++++++++++++++++++++++++++
 devel/setup-e2e-deps.sh         |  3 +++
 4 files changed, 55 insertions(+)
 create mode 100644 devel/addon/kyverno/BUILD.bazel
 create mode 100755 devel/addon/kyverno/install.sh

diff --git a/devel/BUILD.bazel b/devel/BUILD.bazel
index 543e7253d..0ad434022 100644
--- a/devel/BUILD.bazel
+++ b/devel/BUILD.bazel
@@ -12,6 +12,7 @@ filegroup(
         "//devel/addon/bind:all-srcs",
         "//devel/addon/certmanager:all-srcs",
         "//devel/addon/ingressnginx:all-srcs",
+        "//devel/addon/kyverno:all-srcs",
         "//devel/addon/pebble:all-srcs",
         "//devel/addon/sample-external-issuer:all-srcs",
         "//devel/addon/samplewebhook:all-srcs",
diff --git a/devel/addon/kyverno/BUILD.bazel b/devel/addon/kyverno/BUILD.bazel
new file mode 100644
index 000000000..8cf19e75e
--- /dev/null
+++ b/devel/addon/kyverno/BUILD.bazel
@@ -0,0 +1,15 @@
+load("@io_bazel_rules_docker//container:bundle.bzl", "container_bundle")
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
diff --git a/devel/addon/kyverno/install.sh b/devel/addon/kyverno/install.sh
new file mode 100755
index 000000000..423ae1860
--- /dev/null
+++ b/devel/addon/kyverno/install.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Installs an instance of Kyverno with all Pod security policies enabled.
+# * https://kyverno.io/policies/pod-security/
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")
+source "${SCRIPT_ROOT}/../../lib/lib.sh"
+
+check_tool kubectl
+check_tool helm
+check_tool kustomize
+
+# Install latest version of Kyverno
+helm repo add kyverno https://kyverno.github.io/kyverno/
+helm repo update
+helm upgrade --install --wait kyverno kyverno/kyverno --namespace kyverno --create-namespace
+# Install all Pod security policies
+kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f -
diff --git a/devel/setup-e2e-deps.sh b/devel/setup-e2e-deps.sh
index 5508235f7..fe39af5ae 100755
--- a/devel/setup-e2e-deps.sh
+++ b/devel/setup-e2e-deps.sh
@@ -31,6 +31,9 @@ source "${SCRIPT_ROOT}/lib/lib.sh"
 # Configure PATH to use bazel provided e2e tools
 setup_tools
 
+echo "Installing kyverno into cluster..."
+"${SCRIPT_ROOT}/addon/kyverno/install.sh" 
+
 echo "Installing cert-manager into the cluster..."
 "${SCRIPT_ROOT}/addon/certmanager/install.sh"