appuio · bastjan · Sep 19, 2024 · Sep 19, 2024
@@ -20,5 +20,3 @@
 
 # Additional entries
 jsonnetfile.json
-tests/kyverno/*/compiled
-tools/render/render
@@ -12,7 +12,6 @@ SHELL := bash
 .SUFFIXES:
 
 include Makefile.vars.mk
-include Makefile.kyverno.mk
 
 .PHONY: help
 help: ## Show this help

@@ -13,12 +13,8 @@ parameters:
         output_path: apps/
       - input_paths:
           - appuio-cloud/component/main.jsonnet
-          - appuio-cloud/component/namespace-policies.jsonnet
           - appuio-cloud/component/project-template.jsonnet
-          - appuio-cloud/component/quota-limitrange.jsonnet
-          - appuio-cloud/component/namespace-quota.jsonnet
           - appuio-cloud/component/build-strategy.jsonnet
-          - appuio-cloud/component/runonce-activedeadlineseconds.jsonnet
           - appuio-cloud/component/monitoring.jsonnet
           - appuio-cloud/component/cluster-roles.jsonnet
         input_type: jsonnet

@@ -21,13 +21,6 @@ parameters:
 
     secrets: {}
 
-    # Disables Kyverno policies deployed.
-    # possible values: [usage-profiles]
-    agent_feature_set: []
-
-    # Allows to generically disable a Kyverno ClusterPolicy
-    disable_kyverno_cluster_policies: []
-
     agent:
       replicas: 3
       # Customize agent deployment resource requests & limits
@@ -130,15 +123,12 @@ parameters:
       # Roles are not supported for the APPUiO Cloud Agent. Should be left empty.
       roles: {}
       # In APPUiO Cloud Agent ClusterRoles are only ever matched if they are bound through a ClusterRoleBinding,
-      # this is different from the behavior of Kyverno.
       # This is done to prevent a user from wrongly configuring a low-privileged ClusterRole which users
       # can then bind to themselves to bypass the restrictions.
       clusterRoles:
         cluster-admin: cluster-admin
         cluster-image-registry-operator: cluster-image-registry-operator
         cluster-node-tuning-operator: cluster-node-tuning-operator
-        kyverno:generatecontroller: kyverno:generatecontroller
-        kyverno:policycontroller: kyverno:policycontroller
         multus-admission-controller-webhook: multus-admission-controller-webhook
         openshift-dns-operator: openshift-dns-operator
         openshift-ingress-operator: openshift-ingress-operator
@@ -197,13 +187,6 @@ parameters:
         - kubectl.kubernetes.io/last-applied-configuration
       appuioUserDefined: custom.appuio.io/*
       runOnceActiveDeadlineSecondsOverride: ${appuio_cloud:runOnceActiveDeadlineSeconds:overrideAnnotationKey}
-      # If using mutate, Kyverno appends an annotation to debug the mutate patches.
-      # The annotation is appended in the context of the original requestor.
-      # Thus we have to whitelist the annotation or the later validation rejects the request.
-      # This should be safe because:
-      # - The annotation is only for debugging and not referenced elsewhere.
-      # - The mutating policies are validated with a validation rule too.
-      kyvernoMutateLabel: policies.kyverno.io/last-applied-patches
       defaultNamespaceNodeSelectorAnnotation: ${appuio_cloud:agent:config:DefaultNamespaceNodeSelectorAnnotation}
 
     maxNamespaceQuota: 25
@@ -212,7 +195,6 @@ parameters:
     generatedResourceQuota:
       # See https://kb.vshn.ch/appuio-cloud/references/quality-requirements/performance/resource-quota.html
       organization-objects:
-        synchronize: true
         spec:
           hard:
             count/configmaps: "150"
@@ -237,7 +219,6 @@ parameters:
             rbd-storagepool-cluster.storageclass.storage.k8s.io/requests.storage: 25Gi
 
       organization-compute:
-        synchronize: true
         spec:
           hard:
             requests.cpu: 4
@@ -249,7 +230,6 @@ parameters:
             - NotTerminating
 
       organization-compute-terminating:
-        synchronize: true
         spec:
           hard:
             limits.cpu: 4000m
@@ -262,7 +242,6 @@ parameters:
 
     generatedLimitRange:
       name: organization
-      synchronize: true
       limits:
         "Container":
           min:

@@ -119,7 +119,7 @@ local configMap =
         _allowedLabels:: null,
 
         local legacyDefaultResourceQuotas = super._LegacyDefaultResourceQuotas,
-        LegacyDefaultResourceQuotas: std.foldl(function(prev, k) prev { [k]: legacyDefaultResourceQuotas[k] + legacyDefaultResourceQuotas[k].spec { synchronize:: null, spec:: null } }, std.objectFields(legacyDefaultResourceQuotas), {}),
+        LegacyDefaultResourceQuotas: std.foldl(function(prev, k) prev { [k]: legacyDefaultResourceQuotas[k] + legacyDefaultResourceQuotas[k].spec { spec:: null } }, std.objectFields(legacyDefaultResourceQuotas), {}),
         _LegacyDefaultResourceQuotas:: null,
 
         local legacyDefaultLimitRange = super._LegacyDefaultLimitRange,

@@ -13,96 +13,11 @@ local defaultLabels = {
   },
 };
 
-local orgLabelSelector = {
-  matchExpressions: [
-    {
-      key: 'appuio.io/organization',
-      operator: 'Exists',
-    },
-  ],
-};
-
 local flattenSet(set) = std.flatMap(function(s)
                                       if std.isArray(set[s]) then set[s] else [ set[s] ],
                                     std.objectFields(std.prune(set)));
 
-
-local ifNotEmpty(key, array) = if std.length(array) > 0 then [ { [key]: array } ] else [];
-/**
-  * bypassNamespaceRestrictionsSubjects returns an object containing the configured roles and subjects
-  * allowed to bypass restrictions.
-  */
-local bypassNamespaceRestrictionsSubjects() =
-  local bypass = params.bypassNamespaceRestrictions;
-  {
-    any:
-      ifNotEmpty('clusterRoles', flattenSet(bypass.clusterRoles)) +
-      ifNotEmpty('roles', flattenSet(bypass.roles)) +
-      ifNotEmpty('subjects', flattenSet(bypass.subjects)),
-  };
-
-local matchKinds(selector=null, names=null, match='all', kinds) = {
-  [match]+: [ {
-    resources+: std.prune({
-      kinds+: kinds,
-      selector+: selector,
-      names+: names,
-    }),
-  } ],
-};
-
-local matchNamespaces(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'Namespace' ]);
-
-local matchProjectRequests(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'ProjectRequest' ]);
-
-local matchRoleBindings(selector=null, names=null, match='all') = matchKinds(selector, names, match, kinds=[ 'rbac.authorization.k8s.io/v1/RoleBinding' ]);
-
-local matchOrgNamespaces = matchNamespaces(selector=orgLabelSelector);
-
-local matchNamespacesAndProjectRequests(selector=null, names=null, match='all') =
-  matchKinds(selector, names, match, kinds=[ 'Namespace', 'ProjectRequest' ]);
-
-local kyvernoPatternToRegex = function(pattern)
-  '^%s$' % std.strReplace(std.strReplace(pattern, '?', '.'), '*', '.*');
-
-local jsonnetFile(filename) =
-  local parts = std.split(filename, '/');
-  local pcount = std.length(parts);
-  '%s/%s' % [ parts[pcount - 2], parts[pcount - 1] ];
-
-
-local agentFeatureEnabled(name) =
-  local knownFeatures = [ 'usage-profiles' ];
-  assert std.member(knownFeatures, name) : 'Unknown agent feature "%s"' % name;
-  std.member(params.agent_feature_set, name);
-
-local disabledPolicies = std.prune(params.disable_kyverno_cluster_policies);
-
-local removeDisabledPolicies = function(policies)
-  {
-    [p]: policies[p]
-    for p in std.filter(
-      function(pk)
-        local policy = policies[pk];
-        !std.isObject(policy) || policy.apiVersion != 'kyverno.io/v1' || policy.kind != 'ClusterPolicy' || std.length(std.find(policy.metadata.name, disabledPolicies)) == 0,
-      std.objectFields(policies)
-    )
-  };
-
 {
-  // Remove disabled Kyverno policies
-  // Takes a dict with kubernetes resources and removes kyverno.io/v1.ClusterPolicy manifests that are disabled
-  RemoveDisabledPolicies: removeDisabledPolicies,
-  // AgentFeatureEnabled returns true if the given feature is enabled.
-  AgentFeatureEnabled: agentFeatureEnabled,
   DefaultLabels: defaultLabels,
   FlattenSet: flattenSet,
-  BypassNamespaceRestrictionsSubjects: bypassNamespaceRestrictionsSubjects,
-  MatchNamespaces: matchNamespaces,
-  MatchNamespacesAndProjectRequests: matchNamespacesAndProjectRequests,
-  MatchOrgNamespaces: matchOrgNamespaces,
-  MatchProjectRequests: matchProjectRequests,
-  MatchRoleBindings: matchRoleBindings,
-  KyvernoPatternToRegex: kyvernoPatternToRegex,
-  JsonnetFile: jsonnetFile,
 }