Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesKuberneteskube_policies
kube_policies
Stable
Direct
Source Code Link

Panfactum Policies for Kyverno

This module installs a handful of default Kyverno policies that enable better and more production-hardened defaults in the Kubernetes cluster.

kube_kyverno must be installed in order for this module to work.

Priority Classes

This module also sets up additional priority classes in addition to the default ones provided by Kubernetes:

  • database (10000000): Used for running stateful pods

  • default (0): The global default priority class

  • cluster-important (100000000): Used for controllers that provide ancillary (but not critical) cluster functionality

Additionally, you can set up arbitrary additional priority classes as needed via the extra_priority_classes input.

Maintainer Notes

resources.txt is generated by running

kubectl api-resources --no-headers | awk '{
  name = $1;
   if (NF == 4) {
    shortname = "none";
    apiGroup = $2
    namespaced = $3;
    kind = $4;
        t = "1";
  } else {
      shortname = $2;
    apiGroup = $3
    namespaced = $4;
    kind = $5;
        t = "0";
  }
  print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'

against a Kubernetes cluster with all the stack resources deployed.

This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.

Providers

The following providers are needed by this module:

  • aws (5.80.0)

  • kubectl (2.1.3)

  • kubernetes (2.34.0)

  • pf (0.0.7)

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

common_env

Description: Key-value pairs that will be injected into all containers in all pods in the cluster as environment variables

Type: map(string)

Default: {}

common_secrets

Description: Key-values pairs that will be injected into all containers in all pods in the cluster as environment variables (but stored in a Secret resource)

Type: map(string)

Default: {}

default_arm64_toleration_enabled

Description: Whether pods should tolerate arm64 nodes by default

Type: bool

Default: true

default_burstable_toleration_enabled

Description: Whether pods should tolerate burstable nodes by default

Type: bool

Default: false

default_controller_toleration_enabled

Description: Whether pods should tolerate controller (EKS) nodes by default

Type: bool

Default: false

default_spot_toleration_enabled

Description: Whether pods should tolerate spot nodes by default

Type: bool

Default: true

environment_variable_injection_enabled

Description: Whether a standard set of environment variables should be injected into each container

Type: bool

Default: true

extra_priority_classes

Description: A mapping of extra priority class names to their values

Type: map(number)

Default: {}

panfactum_node_image_cache_enabled

Description: Whether support for the node-local image cache should be enabled

Type: bool

Default: true

panfactum_scheduler_enabled

Description: Whether pods should be automatically updated to use the Panfactum bin-packing scheduler.

Type: bool

Default: false

pull_through_cache_enabled

Description: Whether pods should have their images replaced with image references of the ECR pull-through cache.

Type: bool

Default: true

Outputs

No outputs.

Usage

No notes

Maintainers

resources.txt is generated by running

kubectl api-resources --no-headers | awk '{
  name = $1;
   if (NF == 4) {
    shortname = "none";
    apiGroup = $2
    namespaced = $3;
    kind = $4;
        t = "1";
  } else {
      shortname = $2;
    apiGroup = $3
    namespaced = $4;
    kind = $5;
        t = "0";
  }
  print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'

against a Kubernetes cluster with all the stack resources deployed.

This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.