From 61f623e3c75f8a6fd88640211a87ae25c47ce2b9 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Fri, 13 Mar 2026 13:24:09 +0100 Subject: [PATCH] order --- .../policies/auth-sidecar-injector.yaml | 87 +++++++++---------- 1 file changed, 39 insertions(+), 48 deletions(-) diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml index 5f22787..594a871 100644 --- a/cluster-resources/policies/auth-sidecar-injector.yaml +++ b/cluster-resources/policies/auth-sidecar-injector.yaml @@ -10,18 +10,47 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- - Injects an auth sidecar container into Pods annotated with - policies.forteapps.io/auth: "true". The sidecar proxies requests through - a token-based auth layer and a NetworkPolicy is generated to restrict - ingress to the sidecar port only. If the auth-tokens Secret does not - exist in the namespace, an empty one is created to prevent volume mount - failures. Upstream URL and image can be overridden via - policies.forteapps.io/auth-upstream-url and - policies.forteapps.io/auth-image annotations. When auth-upstream-url is - not set, the first containerPort of the first existing container is used. + Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer and a NetworkPolicy is generated to restrict ingress to the sidecar port only. If the auth-tokens Secret does not exist in the namespace, an empty one is created to prevent volume mount failures. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations. When auth-upstream-url is not set, the first containerPort of the first existing container is used. spec: background: false rules: + - name: generate-auth-tokens-secret + skipBackgroundRequests: true + match: + any: + - resources: + kinds: + - Pod + annotations: + policies.forteapps.io/auth: "true" + exclude: + any: + - resources: + namespaces: + - kube-system + - kyverno + - argocd + - cert-manager + - monitoring + preconditions: + all: + - key: "{{ request.operation }}" + operator: In + value: + - CREATE + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: auth-tokens + namespace: "{{ request.namespace }}" + data: + metadata: + labels: + app.kubernetes.io/managed-by: kyverno + app.kubernetes.io/created-by: inject-auth-sidecar + type: Opaque + data: {} - name: inject-sidecar skipBackgroundRequests: true match: @@ -97,43 +126,6 @@ spec: secret: secretName: auth-tokens optional: true - - name: generate-auth-tokens-secret - skipBackgroundRequests: true - match: - any: - - resources: - kinds: - - Pod - annotations: - policies.forteapps.io/auth: "true" - exclude: - any: - - resources: - namespaces: - - kube-system - - kyverno - - argocd - - cert-manager - - monitoring - preconditions: - all: - - key: "{{ request.operation }}" - operator: In - value: - - CREATE - generate: - synchronize: false - apiVersion: v1 - kind: Secret - name: auth-tokens - namespace: "{{ request.namespace }}" - data: - metadata: - labels: - app.kubernetes.io/managed-by: kyverno - app.kubernetes.io/created-by: inject-auth-sidecar - type: Opaque - data: {} - name: generate-auth-network-policy skipBackgroundRequests: true match: @@ -171,8 +163,7 @@ spec: app.kubernetes.io/created-by: inject-auth-sidecar spec: podSelector: - matchLabels: - "{{ request.object.metadata.labels }}" + matchLabels: "{{ request.object.metadata.labels }}" policyTypes: - Ingress ingress: