feat: Add support for kyverno addon including reporter UI and baseline policies

docs/add-ons/kyverno.md

@@ -0,0 +1,98 @@
+
+# Kyverno
+
+Kyverno is a policy engine that can help kubernetes clusters to enforce security and governance policies
+
+This module takes an opinionated approach to install a set a of baseline policies along with the Kyverno UI which can disabled or removed based on the need.
+
+The baseline and restricted policies covered by the built-in policies are below which can be toggeld via the helm values.
+
+## Baseline
+* disallow-capabilities
+* disallow-host-namespaces
+* disallow-host-path
+* disallow-host-ports
+* disallow-host-process
+* disallow-privileged-containers
+* disallow-proc-mount
+* disallow-selinux
+* restrict-apparmor-profiles
+* restrict-seccomp
+* restrict-sysctls
+
+## Restricted
+
+* disallow-capabilities-strict
+* disallow-privilege-escalation
+* require-run-as-non-root-user
+* require-run-as-nonroot
+* restrict-seccomp-strict
+* restrict-volume-types
+
+## References
+
+Pod Secuirty standards - https://kubernetes.io/docs/concepts/security/pod-security-standards/
+
+For more details checkout [kyverno](https://kyverno.io/)
+
+
+## Usage
+
+Kyverno can be deployed by enabling the add-on via the following.
+
+```hcl
+enable_kyverno = true
+```
+
+Deploy Kyverno with custom `values.yaml`
+
+```hcl
+  # Optional Map value; pass kyverno-values.yaml from consumer module
+    kyverno_helm_config = {
+    name       = "kyverno"                                             # (Required) Release name.
+    repository = "https://kyverno.github.io/kyverno/"                  # (Optional) Repository URL where to locate the requested chart.
+    chart      = "kyverno"                                        # (Required) Chart name to be installed.
+    version    = "v2.5.2"                                               # (Optional) Specify the exact chart version to install. If this is not specified, it defaults to the version set within default_helm_config: https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/kyverno/locals.tf
+    namespace  = "kyverno"                                             # (Optional) The namespace to install the release into.
+    values = [templatefile("${path.module}/kyverno-values.yaml", {})]
+  }
+```
+
+
+Deploy Kyverno policies with custom `values.yaml`
+
+```hcl
+  # Optional Map value; pass kyverno-values.yaml from consumer module
+    kyverno_helm_config = {
+    name       = "kyverno-policies"                                             # (Required) Release name.
+    repository = "https://kyverno.github.io/kyverno/"                  # (Optional) Repository URL where to locate the requested chart.
+    chart      = "kyverno-policies"                                        # (Required) Chart name to be installed.
+    version    = "v2.5.2"                                               # (Optional) Specify the exact chart version to install. If this is not specified, it defaults to the version set within default_helm_config: https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/kyverno/locals.tf
+    namespace  = "kyverno"                                             # (Optional) The namespace to install the release into.
+    values = [templatefile("${path.module}/kyverno-policies-values.yaml", {})]
+  }
+```
+
+
+Deploy Kyverno Policy reporter UI with custom `values.yaml`
+
+```hcl
+  # Optional Map value; pass kyverno-values.yaml from consumer module
+    kyverno_helm_config = {
+    name       = "policy-reporter"                                             # (Required) Release name.
+    repository = "https://kyverno.github.io/kyverno/"                  # (Optional) Repository URL where to locate the requested chart.
+    chart      = "policy-reporter"                                        # (Required) Chart name to be installed.
+    version    = "v2.5.2"                                               # (Optional) Specify the exact chart version to install. If this is not specified, it defaults to the version set within default_helm_config: https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/main/modules/kubernetes-addons/kyverno/locals.tf
+    namespace  = "kyverno"                                             # (Optional) The namespace to install the release into.
+    values = [templatefile("${path.module}/kyverno-ui-values.yaml", {})]
+  }
+```
+### GitOps Configuration
+
+The following properties are made available for use when managing the add-on via GitOps.
+
+```sh
+kyverno = {
+  enable  = true
+}
+```

examples/complete-kubernetes-addons/main.tf

@@ -234,8 +234,10 @@ module "eks_blueprints_kubernetes_addons" {
       Decode_Field_As json message
     EOF
   }
-
-  tags = local.tags
+  enable_kyverno          = true
+  enable_kyverno_policies = true
+  enable_kyverno_ui       = false
+  tags                    = local.tags
 }
 
 #---------------------------------------------------------------

examples/complete-kubernetes-addons/variables.tf

@@ -0,0 +1 @@
+# Copyright © 2022 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer Agreement available at http://aws.amazon.com/agreement or other written agreement between Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both."

modules/kubernetes-addons/README.md

@@ -56,6 +56,7 @@
 | <a name="module_kubecost"></a> [kubecost](#module\_kubecost) | ./kubecost | n/a |
 | <a name="module_kuberay_operator"></a> [kuberay\_operator](#module\_kuberay\_operator) | ./kuberay-operator | n/a |
 | <a name="module_kubernetes_dashboard"></a> [kubernetes\_dashboard](#module\_kubernetes\_dashboard) | ./kubernetes-dashboard | n/a |
+| <a name="module_kyverno"></a> [kyverno](#module\_kyverno) | ./kyverno | n/a |
 | <a name="module_metrics_server"></a> [metrics\_server](#module\_metrics\_server) | ./metrics-server | n/a |
 | <a name="module_ondat"></a> [ondat](#module\_ondat) | ondat/ondat-addon/eksblueprints | 0.1.1 |
 | <a name="module_opentelemetry_operator"></a> [opentelemetry\_operator](#module\_opentelemetry\_operator) | ./opentelemetry-operator | n/a |
@@ -182,6 +183,9 @@
 | <a name="input_enable_kubecost"></a> [enable\_kubecost](#input\_enable\_kubecost) | Enable Kubecost add-on | `bool` | `false` | no |
 | <a name="input_enable_kuberay_operator"></a> [enable\_kuberay\_operator](#input\_enable\_kuberay\_operator) | Enable KubeRay Operator add-on | `bool` | `false` | no |
 | <a name="input_enable_kubernetes_dashboard"></a> [enable\_kubernetes\_dashboard](#input\_enable\_kubernetes\_dashboard) | Enable Kubernetes Dashboard add-on | `bool` | `false` | no |
+| <a name="input_enable_kyverno"></a> [enable\_kyverno](#input\_enable\_kyverno) | Enable Kyverno add-on | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policies"></a> [enable\_kyverno\_policies](#input\_enable\_kyverno\_policies) | Enable Kyverno policies | `bool` | `false` | no |
+| <a name="input_enable_kyverno_ui"></a> [enable\_kyverno\_ui](#input\_enable\_kyverno\_ui) | Enable Kyverno UI | `bool` | `false` | no |
 | <a name="input_enable_metrics_server"></a> [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enable metrics server add-on | `bool` | `false` | no |
 | <a name="input_enable_ondat"></a> [enable\_ondat](#input\_enable\_ondat) | Enable Ondat add-on | `bool` | `false` | no |
 | <a name="input_enable_opentelemetry_operator"></a> [enable\_opentelemetry\_operator](#input\_enable\_opentelemetry\_operator) | Enable opentelemetry operator add-on | `bool` | `false` | no |
@@ -224,6 +228,9 @@
 | <a name="input_kubecost_helm_config"></a> [kubecost\_helm\_config](#input\_kubecost\_helm\_config) | Kubecost Helm Chart config | `any` | `{}` | no |
 | <a name="input_kuberay_operator_helm_config"></a> [kuberay\_operator\_helm\_config](#input\_kuberay\_operator\_helm\_config) | KubeRay Operator Helm Chart config | `any` | `{}` | no |
 | <a name="input_kubernetes_dashboard_helm_config"></a> [kubernetes\_dashboard\_helm\_config](#input\_kubernetes\_dashboard\_helm\_config) | Kubernetes Dashboard Helm Chart config | `any` | `null` | no |
+| <a name="input_kyverno_helm_config"></a> [kyverno\_helm\_config](#input\_kyverno\_helm\_config) | Kyverno Helm Chart config | `any` | `{}` | no |
+| <a name="input_kyverno_policies_helm_config"></a> [kyverno\_policies\_helm\_config](#input\_kyverno\_policies\_helm\_config) | Kyverno policies Helm Chart config | `any` | `{}` | no |
+| <a name="input_kyverno_ui_helm_config"></a> [kyverno\_ui\_helm\_config](#input\_kyverno\_ui\_helm\_config) | Kyverno UI Helm Chart config | `any` | `{}` | no |
 | <a name="input_metrics_server_helm_config"></a> [metrics\_server\_helm\_config](#input\_metrics\_server\_helm\_config) | Metrics Server Helm Chart config | `any` | `{}` | no |
 | <a name="input_ondat_admin_password"></a> [ondat\_admin\_password](#input\_ondat\_admin\_password) | Password for Ondat admin user | `string` | `"storageos"` | no |
 | <a name="input_ondat_admin_username"></a> [ondat\_admin\_username](#input\_ondat\_admin\_username) | Username for Ondat admin user | `string` | `"storageos"` | no |

modules/kubernetes-addons/kyverno/README.md

@@ -0,0 +1,53 @@
+
+# Kyverno
+
+Kyverno is a policy engine that can help kubernetes clusters to enforce security and governance policies
+For more details checkout [kyverno](https://kyverno.io/)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kyverno_helm_addon"></a> [kyverno\_helm\_addon](#module\_kyverno\_helm\_addon) | ../helm-addon | n/a |
+| <a name="module_kyverno_policies_helm_addon"></a> [kyverno\_policies\_helm\_addon](#module\_kyverno\_policies\_helm\_addon) | ../helm-addon | n/a |
+| <a name="module_kyverno_ui_helm_addon"></a> [kyverno\_ui\_helm\_addon](#module\_kyverno\_ui\_helm\_addon) | ../helm-addon | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_namespace_v1.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
+| <a name="input_enable_kyverno"></a> [enable\_kyverno](#input\_enable\_kyverno) | Enable Kyverno | `bool` | `false` | no |
+| <a name="input_enable_kyverno_policies"></a> [enable\_kyverno\_policies](#input\_enable\_kyverno\_policies) | Enable Kyverno policies | `bool` | `false` | no |
+| <a name="input_enable_kyverno_ui"></a> [enable\_kyverno\_ui](#input\_enable\_kyverno\_ui) | Enable Kyverno UI | `bool` | `false` | no |
+| <a name="input_kyverno_helm_config"></a> [kyverno\_helm\_config](#input\_kyverno\_helm\_config) | Helm provider config for the Kyverno | `any` | `{}` | no |
+| <a name="input_kyverno_policies_helm_config"></a> [kyverno\_policies\_helm\_config](#input\_kyverno\_policies\_helm\_config) | Helm provider config for the Kyverno baseline policies | `any` | `{}` | no |
+| <a name="input_kyverno_ui_helm_config"></a> [kyverno\_ui\_helm\_config](#input\_kyverno\_ui\_helm\_config) | Helm provider config for the Kyverno policy reporter UI | `any` | `{}` | no |
+| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_argocd_gitops_config"></a> [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/kubernetes-addons/kyverno/kyverno-policies-values.yaml

@@ -0,0 +1,17 @@
+# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
+# For more info https://kyverno.io/policies/pod-security.
+podSecurityStandard: restricted
+
+# -- Pod Security Standard (`low`, `medium`, `high`).
+podSecuritySeverity: medium
+
+# -- Validation failure action (`audit`, `enforce`).
+# For more info https://kyverno.io/docs/writing-policies/validate.
+validationFailureAction: audit
+
+# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
+# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
+failurePolicy: Ignore
+
+# -- Policies background mode
+background: true

modules/kubernetes-addons/kyverno/kyverno-ui-values.yaml

@@ -0,0 +1,11 @@
+ui:
+  enabled: true
+
+kyvernoPlugin:
+  enabled: true
+
+global:
+  # available plugins
+  plugins:
+    # enable kyverno for Policy Reporter UI and monitoring
+    kyverno: true

modules/kubernetes-addons/kyverno/kyverno-values.yaml

@@ -0,0 +1,13 @@
+replicaCount: 3
+
+# -- Kyverno requires a certificate key pair and corresponding certificate authority
+# to properly register its webhooks. This can be done in one of 3 ways:
+# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
+# 2) Provide your own CA and cert.
+#    In this case, you will need to create a certificate with a specific name and data structure.
+#    As long as you follow the naming scheme, it will be automatically picked up.
+#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
+#    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
+# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
+# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
+createSelfSignedCert: false

modules/kubernetes-addons/kyverno/locals.tf

@@ -0,0 +1,64 @@
+locals {
+  kyverno_chart_name              = "kyverno"
+  kyverno_policies_chart_name     = "kyverno-policies"
+  kyverno_ui_chart_name           = "policy-reporter"
+  namespace                       = "kyverno"
+  default_kyverno_values          = [templatefile("${path.module}/kyverno-values.yaml", {})]
+  default_kyverno_policies_values = [templatefile("${path.module}/kyverno-policies-values.yaml", {})]
+  default_kyverno_ui_values       = [templatefile("${path.module}/kyverno-ui-values.yaml", {})]
+
+  default_kyverno_controller_helm_config = {
+    name        = local.kyverno_chart_name
+    chart       = local.kyverno_chart_name
+    repository  = "https://kyverno.github.io/kyverno/"
+    version     = "v2.5.2"
+    namespace   = local.namespace
+    description = "Kyverno policy engine AddOn Helm Chart"
+    values      = local.default_kyverno_values
+    timeout     = "1200"
+  }
+
+  kyverno_helm_config = merge(
+    local.default_kyverno_controller_helm_config,
+    var.kyverno_helm_config
+  )
+
+
+  default_kyverno_policies_helm_config = {
+    name        = local.kyverno_policies_chart_name
+    chart       = local.kyverno_policies_chart_name
+    repository  = "https://kyverno.github.io/kyverno/"
+    version     = "v2.5.2"
+    namespace   = local.namespace
+    description = "Kyverno policies AddOn Helm Chart"
+    values      = local.default_kyverno_policies_values
+    timeout     = "1200"
+  }
+
+  kyverno_policies_helm_config = merge(
+    local.default_kyverno_policies_helm_config,
+    var.kyverno_policies_helm_config
+  )
+
+
+  default_kyverno_ui_helm_config = {
+    name        = local.kyverno_ui_chart_name
+    chart       = local.kyverno_ui_chart_name
+    repository  = "https://kyverno.github.io/policy-reporter"
+    version     = "2.11.0"
+    namespace   = local.namespace
+    description = "Kyverno UI AddOn Helm Chart"
+    values      = local.default_kyverno_ui_values
+    timeout     = "1200"
+  }
+
+  kyverno_ui_helm_config = merge(
+    local.default_kyverno_ui_helm_config,
+    var.kyverno_ui_helm_config
+  )
+
+
+  argocd_gitops_config = {
+    enable = true
+  }
+}

modules/kubernetes-addons/kyverno/main.tf

@@ -0,0 +1,35 @@
+resource "kubernetes_namespace_v1" "this" {
+  metadata {
+    name = local.kyverno_helm_config["namespace"]
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform-aws-eks-blueprints"
+    }
+  }
+}
+module "kyverno_helm_addon" {
+  count             = var.enable_kyverno ? 1 : 0
+  source            = "../helm-addon"
+  manage_via_gitops = var.manage_via_gitops
+  helm_config       = local.kyverno_helm_config
+  irsa_config       = null
+  addon_context     = var.addon_context
+  depends_on        = [kubernetes_namespace_v1.this]
+}
+module "kyverno_policies_helm_addon" {
+  count             = var.enable_kyverno_policies ? 1 : 0
+  source            = "../helm-addon"
+  manage_via_gitops = var.manage_via_gitops
+  helm_config       = local.kyverno_policies_helm_config
+  irsa_config       = null
+  addon_context     = var.addon_context
+  depends_on        = [kubernetes_namespace_v1.this, module.kyverno_helm_addon]
+}
+module "kyverno_ui_helm_addon" {
+  count             = var.enable_kyverno_ui ? 1 : 0
+  source            = "../helm-addon"
+  manage_via_gitops = var.manage_via_gitops
+  helm_config       = local.kyverno_ui_helm_config
+  irsa_config       = null
+  addon_context     = var.addon_context
+  depends_on        = [kubernetes_namespace_v1.this, module.kyverno_helm_addon, module.kyverno_policies_helm_addon]
+}

modules/kubernetes-addons/kyverno/outputs.tf

@@ -0,0 +1,4 @@
+output "argocd_gitops_config" {
+  description = "Configuration used for managing the add-on with ArgoCD"
+  value       = var.manage_via_gitops ? local.argocd_gitops_config : null
+}

modules/kubernetes-addons/kyverno/variables.tf

@@ -0,0 +1,49 @@
+variable "kyverno_helm_config" {
+  type        = any
+  description = "Helm provider config for the Kyverno"
+  default     = {}
+}
+variable "kyverno_policies_helm_config" {
+  type        = any
+  description = "Helm provider config for the Kyverno baseline policies"
+  default     = {}
+}
+variable "kyverno_ui_helm_config" {
+  type        = any
+  description = "Helm provider config for the Kyverno policy reporter UI"
+  default     = {}
+}
+variable "enable_kyverno" {
+  type        = bool
+  default     = false
+  description = "Enable Kyverno"
+}
+variable "enable_kyverno_policies" {
+  type        = bool
+  default     = false
+  description = "Enable Kyverno policies"
+}
+variable "enable_kyverno_ui" {
+  type        = bool
+  default     = false
+  description = "Enable Kyverno UI"
+}
+variable "manage_via_gitops" {
+  type        = bool
+  default     = false
+  description = "Determines if the add-on should be managed via GitOps."
+}
+variable "addon_context" {
+  type = object({
+    aws_caller_identity_account_id = string
+    aws_caller_identity_arn        = string
+    aws_eks_cluster_endpoint       = string
+    aws_partition_id               = string
+    aws_region_name                = string
+    eks_cluster_id                 = string
+    eks_oidc_issuer_url            = string
+    eks_oidc_provider_arn          = string
+    tags                           = map(string)
+  })
+  description = "Input configuration for the addon"
+}