Back to Policies

Generate Flux Multi-Tenant Resources

As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-flux-multi-tenant-resources
  annotations:
    policies.kyverno.io/title: Generate Flux Multi-Tenant Resources
    policies.kyverno.io/category: Flux
    kyverno.io/kyverno-version: 1.6.2
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: ServiceAccount, RoleBinding
    policies.kyverno.io/description: As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.
spec:
  rules:
    - name: generate-flux-sa
      match:
        any:
          - resources:
              kinds:
                - Namespace
              selector:
                matchLabels:
                  toolkit.fluxcd.io/tenant: "?*"
      generate:
        apiVersion: v1
        kind: ServiceAccount
        name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
        namespace: "{{request.object.metadata.name}}"
        synchronize: false
        data:
          metadata:
            labels:
              toolkit.fluxcd.io/tenant: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
            name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
            namespace: "{{request.object.metadata.name}}"
    - name: generate-flux-rolebinding
      match:
        any:
          - resources:
              kinds:
                - Namespace
              selector:
                matchLabels:
                  toolkit.fluxcd.io/tenant: "?*"
      generate:
        apiVersion: rbac.authorization.k8s.io/v1
        kind: RoleBinding
        name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
        namespace: "{{request.object.metadata.name}}"
        synchronize: false
        data:
          metadata:
            labels:
              toolkit.fluxcd.io/tenant: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
            name: flux-{{request.object.metadata.labels."toolkit.fluxcd.io/tenant"}}
            namespace: "{{request.object.metadata.name}}"
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: cluster-admin
          subjects:
            - kind: User
              name: flux:{{request.object.metadata.name}}:{{request.object.metadata.labels."toolkit.fluxcd.io/tenant"}}
            - kind: ServiceAccount
              name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
              namespace: "{{request.object.metadata.name}}"

Related Policies

GenerateMedium

Argo Cluster Secret Generation From Rancher CAPI Secret

This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".

Secret
GenerateMedium

Add Network Policy

By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.

NetworkPolicy
GenerateMedium

Add Network Policy

By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.

NetworkPolicy