Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesKuberneteskube_policies
kube_policies
Stable
Direct
Source Code Link

Panfactum Policies for Kyverno

This module installs a handful of default Kyverno policies that enable better and more production-hardened defaults in the Kubernetes cluster.

kube_kyverno must be installed in order for this module to work.

Providers

The following providers are needed by this module:

  • aws (5.70.0)

  • kubectl (2.0.4)

  • kubernetes (2.27.0)

  • pf (0.0.3)

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

default_arm64_toleration_enabled

Description: Whether pods should tolerate arm64 nodes by default

Type: bool

Default: true

default_burstable_toleration_enabled

Description: Whether pods should tolerate burstable nodes by default

Type: bool

Default: false

default_controller_toleration_enabled

Description: Whether pods should tolerate controller (EKS) nodes by default

Type: bool

Default: false

default_spot_toleration_enabled

Description: Whether pods should tolerate spot nodes by default

Type: bool

Default: true

environment_variable_injection_enabled

Description: Whether a standard set of environment variables should be injected into each container

Type: bool

Default: true

panfactum_node_image_cache_enabled

Description: Whether support for the node-local image cache should be enabled

Type: bool

Default: true

panfactum_scheduler_enabled

Description: Whether pods should be automatically updated to use the Panfactum bin-packing scheduler.

Type: bool

Default: false

pull_through_cache_enabled

Description: Whether pods should have their images replaced with image references of the ECR pull-through cache.

Type: bool

Default: true

Outputs

No outputs.

Usage

No notes

Maintainers

resources.txt is generated by running

kubectl api-resources --no-headers | awk '{
  name = $1;
   if (NF == 4) {
    shortname = "none";
    apiGroup = $2
    namespaced = $3;
    kind = $4;
        t = "1";
  } else {
      shortname = $2;
    apiGroup = $3
    namespaced = $4;
    kind = $5;
        t = "0";
  }
  print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'

against a Kubernetes cluster with all the stack resources deployed.

This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.