Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

order

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-03-13 13:24:09 +01:00
parent 2e3232ecb9
commit 61f623e3c7
1 changed files with 39 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
cluster-resources/policies/auth-sidecar-injector.yaml
View File

@@ -10,18 +10,47 @@ metadata:
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Injects an auth sidecar container into Pods annotated with
policies.forteapps.io/auth: "true". The sidecar proxies requests through
a token-based auth layer and a NetworkPolicy is generated to restrict
ingress to the sidecar port only. If the auth-tokens Secret does not
exist in the namespace, an empty one is created to prevent volume mount
failures. Upstream URL and image can be overridden via
policies.forteapps.io/auth-upstream-url and
policies.forteapps.io/auth-image annotations. When auth-upstream-url is
not set, the first containerPort of the first existing container is used.
Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer and a NetworkPolicy is generated to restrict ingress to the sidecar port only. If the auth-tokens Secret does not exist in the namespace, an empty one is created to prevent volume mount failures. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations. When auth-upstream-url is not set, the first containerPort of the first existing container is used.
spec:
background: false
rules:
- name: generate-auth-tokens-secret
skipBackgroundRequests: true
match:
any:
- resources:
kinds:
- Pod
annotations:
policies.forteapps.io/auth: "true"
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- argocd
- cert-manager
- monitoring
preconditions:
all:
- key: "{{ request.operation }}"
operator: In
value:
- CREATE
generate:
synchronize: false
apiVersion: v1
kind: Secret
name: auth-tokens
namespace: "{{ request.namespace }}"
data:
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
app.kubernetes.io/created-by: inject-auth-sidecar
type: Opaque
data: {}
- name: inject-sidecar
skipBackgroundRequests: true
match:
@@ -97,43 +126,6 @@ spec:
secret:
secretName: auth-tokens
optional: true
- name: generate-auth-tokens-secret
skipBackgroundRequests: true
match:
any:
- resources:
kinds:
- Pod
annotations:
policies.forteapps.io/auth: "true"
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- argocd
- cert-manager
- monitoring
preconditions:
all:
- key: "{{ request.operation }}"
operator: In
value:
- CREATE
generate:
synchronize: false
apiVersion: v1
kind: Secret
name: auth-tokens
namespace: "{{ request.namespace }}"
data:
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
app.kubernetes.io/created-by: inject-auth-sidecar
type: Opaque
data: {}
- name: generate-auth-network-policy
skipBackgroundRequests: true
match:
@@ -171,8 +163,7 @@ spec:
app.kubernetes.io/created-by: inject-auth-sidecar
spec:
podSelector:
matchLabels:
"{{ request.object.metadata.labels }}"
matchLabels: "{{ request.object.metadata.labels }}"
policyTypes:
- Ingress
ingress: