From 0dc470a16d4928d97d4a2df5c03493384f1c5b8d Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Sat, 14 Feb 2026 14:26:46 -0500 Subject: [PATCH 1/3] Add sync-secrets policy --- charts/kyverno-policies/Chart.yaml | 2 +- .../templates/sync-secrets.yaml | 24 +++++++++++ .../sync-secrets/kyverno-test.yaml | 42 +++++++++++++++++++ .../sync-secrets/resources.yaml | 12 ++++++ .../kyverno-policies/sync-secrets/values.yaml | 9 ++++ .../sync-secrets/webservices-read-gen.yaml | 8 ++++ .../sync-secrets/webservices-read.yaml | 8 ++++ 7 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 charts/kyverno-policies/templates/sync-secrets.yaml create mode 100644 tests/kyverno-policies/sync-secrets/kyverno-test.yaml create mode 100644 tests/kyverno-policies/sync-secrets/resources.yaml create mode 100644 tests/kyverno-policies/sync-secrets/values.yaml create mode 100644 tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml create mode 100644 tests/kyverno-policies/sync-secrets/webservices-read.yaml diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index ea0e0c97..c97610a7 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.38.0 +version: 0.39.0 appVersion: "v1.14.5" maintainers: - name: treydock diff --git a/charts/kyverno-policies/templates/sync-secrets.yaml b/charts/kyverno-policies/templates/sync-secrets.yaml new file mode 100644 index 00000000..a6324781 --- /dev/null +++ b/charts/kyverno-policies/templates/sync-secrets.yaml @@ -0,0 +1,24 @@ +# https://github.com/kyverno/policies/blob/main/other/sync-secrets/sync-secrets.yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-secrets +spec: + rules: + - name: sync-image-pull-secret + match: + resources: + kinds: + - Namespace + selector: + matchLabels: + sync-secret: '*' + generate: + apiVersion: v1 + kind: Secret + name: '{{`{{ request.object.metadata.labels."sync-secret" }}`}}-gen' + namespace: "{{`{{request.object.metadata.name}}`}}" + synchronize: true + clone: + namespace: default + name: '{{`{{ request.object.metadata.labels."sync-secret" }}`}}' diff --git a/tests/kyverno-policies/sync-secrets/kyverno-test.yaml b/tests/kyverno-policies/sync-secrets/kyverno-test.yaml new file mode 100644 index 00000000..65f877d1 --- /dev/null +++ b/tests/kyverno-policies/sync-secrets/kyverno-test.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: sync-secrets +policies: + - policy.yaml +resources: + - resources.yaml +variables: values.yaml +results: + - policy: sync-secrets + rule: sync-image-pull-secret + resources: + - webservice + generatedResource: webservices-read-gen.yaml + cloneSourceResource: webservices-read.yaml + kind: Namespace + result: pass +# Not working +# https://github.com/kyverno/kyverno/issues/8942 +# - policy: sync-secrets +# rule: sync-image-pull-secret +# resources: +# - paas +# cloneSourceResource: webservices-read.yaml +# kind: Namespace +# result: skip +#checks: +#- match: +# resource: +# kind: Namespace +# metadata: +# name: paas +# policy: +# kind: ClusterPolicy +# metadata: +# name: sync-secret +# rule: +# name: sync-image-pull-secret +# error: +# (status != 'pass'): true diff --git a/tests/kyverno-policies/sync-secrets/resources.yaml b/tests/kyverno-policies/sync-secrets/resources.yaml new file mode 100644 index 00000000..64450044 --- /dev/null +++ b/tests/kyverno-policies/sync-secrets/resources.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: webservice + labels: + sync-secret: webservices-read +--- +apiVersion: v1 +kind: Namespace +metadata: + name: paas diff --git a/tests/kyverno-policies/sync-secrets/values.yaml b/tests/kyverno-policies/sync-secrets/values.yaml new file mode 100644 index 00000000..1db6437a --- /dev/null +++ b/tests/kyverno-policies/sync-secrets/values.yaml @@ -0,0 +1,9 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +namespaceSelector: + - name: webservice + labels: + sync-secret: webservices-read + - name: paas diff --git a/tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml b/tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml new file mode 100644 index 00000000..b372c54b --- /dev/null +++ b/tests/kyverno-policies/sync-secrets/webservices-read-gen.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: webservices-read-gen + namespace: webservice +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: supersecret diff --git a/tests/kyverno-policies/sync-secrets/webservices-read.yaml b/tests/kyverno-policies/sync-secrets/webservices-read.yaml new file mode 100644 index 00000000..31ab7610 --- /dev/null +++ b/tests/kyverno-policies/sync-secrets/webservices-read.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: webservices-read + namespace: default +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: supersecret From bfb23d424c70126116768a50d49ff636dc16a68b Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 30 Mar 2026 16:21:42 -0400 Subject: [PATCH 2/3] Update docs --- charts/kyverno-policies/README.md | 8 +++++++- charts/kyverno-policies/README.md.gotmpl | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 3e45585b..4570608f 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -1,6 +1,6 @@ # kyverno-policies -![Version: 0.38.0](https://img.shields.io/badge/Version-0.38.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.5](https://img.shields.io/badge/AppVersion-v1.14.5-informational?style=flat-square) +![Version: 0.39.0](https://img.shields.io/badge/Version-0.39.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.14.5](https://img.shields.io/badge/AppVersion-v1.14.5-informational?style=flat-square) OSC Kyverno policies deployment @@ -299,6 +299,12 @@ OSC Kyverno policies deployment * Validates that namespaces have a service account label set when they have the paas role * Applies to: Namespace with paas role +#### Generate policies + +* [sync-secrets](./templates/sync-secrets.yaml) + * Generate new secret by cloning the secret in `sync-secret` namespace label + * Applies to: Namespace with `sync-secret` label + ### KeycloakClient policies #### Validating policies diff --git a/charts/kyverno-policies/README.md.gotmpl b/charts/kyverno-policies/README.md.gotmpl index 89f7f35d..13b79544 100644 --- a/charts/kyverno-policies/README.md.gotmpl +++ b/charts/kyverno-policies/README.md.gotmpl @@ -295,6 +295,12 @@ * Validates that namespaces have a service account label set when they have the paas role * Applies to: Namespace with paas role +#### Generate policies + +* [sync-secrets](./templates/sync-secrets.yaml) + * Generate new secret by cloning the secret in `sync-secret` namespace label + * Applies to: Namespace with `sync-secret` label + ### KeycloakClient policies #### Validating policies From 3bf946cb335b63eb16445bcd09ce47180a7d1c2d Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 30 Mar 2026 18:23:30 -0400 Subject: [PATCH 3/3] Fix Kyverno permissions --- .github/config/kyverno-values.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/config/kyverno-values.yaml b/.github/config/kyverno-values.yaml index 9fb28a14..7eae5754 100644 --- a/.github/config/kyverno-values.yaml +++ b/.github/config/kyverno-values.yaml @@ -11,6 +11,19 @@ admissionController: loggingFormat: text exceptionNamespace: kyverno webhookTimeout: 30 + rbac: + clusterRole: + extraResources: + - apiGroups: [''] + resources: ['secrets'] + verbs: ['get', 'list'] +backgroundController: + rbac: + clusterRole: + extraResources: + - apiGroups: [''] + resources: ['secrets'] + verbs: ['get', 'list', 'create', 'update', 'delete'] config: resourceFiltersIncludeNamespaces: - local-path-storage