Panfactum Policies for Kyverno
This module installs a handful of default Kyverno policies that enable better and more production-hardened defaults in the Kubernetes cluster.
kube_kyverno must be installed in order for this module to work.
Priority Classes
This module also sets up additional priority classes in addition to the default ones provided by Kubernetes:
-
database
(10000000
): Used for running stateful pods -
default
(0
): The global default priority class -
cluster-important
(100000000
): Used for controllers that provide ancillary (but not critical) cluster functionality
Additionally, you can set up arbitrary additional priority classes as needed via the extra_priority_classes
input.
Maintainer Notes
resources.txt
is generated by running
kubectl api-resources --no-headers | awk '{
name = $1;
if (NF == 4) {
shortname = "none";
apiGroup = $2
namespaced = $3;
kind = $4;
t = "1";
} else {
shortname = $2;
apiGroup = $3
namespaced = $4;
kind = $5;
t = "0";
}
print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'
against a Kubernetes cluster with all the stack resources deployed.
This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.
Providers
The following providers are needed by this module:
-
aws (5.80.0)
-
kubectl (2.1.3)
-
kubernetes (2.34.0)
-
pf (0.0.7)
Required Inputs
No required inputs.
Optional Inputs
The following input variables are optional (have default values):
common_env
Description: Key-value pairs that will be injected into all containers in all pods in the cluster as environment variables
Type: map(string)
Default: {}
common_secrets
Description: Key-values pairs that will be injected into all containers in all pods in the cluster as environment variables (but stored in a Secret resource)
Type: map(string)
Default: {}
default_arm64_toleration_enabled
Description: Whether pods should tolerate arm64 nodes by default
Type: bool
Default: true
default_burstable_toleration_enabled
Description: Whether pods should tolerate burstable nodes by default
Type: bool
Default: false
default_controller_toleration_enabled
Description: Whether pods should tolerate controller (EKS) nodes by default
Type: bool
Default: false
default_spot_toleration_enabled
Description: Whether pods should tolerate spot nodes by default
Type: bool
Default: true
environment_variable_injection_enabled
Description: Whether a standard set of environment variables should be injected into each container
Type: bool
Default: true
extra_priority_classes
Description: A mapping of extra priority class names to their values
Type: map(number)
Default: {}
panfactum_node_image_cache_enabled
Description: Whether support for the node-local image cache should be enabled
Type: bool
Default: true
panfactum_scheduler_enabled
Description: Whether pods should be automatically updated to use the Panfactum bin-packing scheduler.
Type: bool
Default: false
pull_through_cache_enabled
Description: Whether pods should have their images replaced with image references of the ECR pull-through cache.
Type: bool
Default: true
Outputs
No outputs.
Usage
No notes
Maintainers
resources.txt
is generated by running
kubectl api-resources --no-headers | awk '{
name = $1;
if (NF == 4) {
shortname = "none";
apiGroup = $2
namespaced = $3;
kind = $4;
t = "1";
} else {
shortname = $2;
apiGroup = $3
namespaced = $4;
kind = $5;
t = "0";
}
print name " " apiGroup;
}' | awk '{ arr[$2] = arr[$2] ? arr[$2] "," $1 : $1 } END { for (i in arr) print arr[i], i }'
against a Kubernetes cluster with all the stack resources deployed.
This is required by we must explicitly enumerate permissions for all resources in order to exclude secret resources for the restricted-reader role.