fix: refactor and tune kyverno for HA

pratik705 · pratik705 · commit 93bedf2e59d8 · 2025-11-20T17:35:27.000Z
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-host-path.yaml b/applications/base/services/kyverno/default-ruleset/disallow-host-path.yaml
@@ -15,8 +15,8 @@ metadata:
       HostPath volumes let Pods use host directories and volumes in containers.
       Using host resources can be used to access shared data or escalate privileges
       and should not be allowed. This policy ensures no hostPath volumes are in use.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -31,9 +31,9 @@ spec:
     - name: host-path
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-host-ports.yaml b/applications/base/services/kyverno/default-ruleset/disallow-host-ports.yaml
@@ -15,8 +15,8 @@ metadata:
       Access to host ports allows potential snooping of network traffic and should not be
       allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
       field is unset or set to `0`.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -31,9 +31,9 @@ spec:
     - name: host-ports-none
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-host-process.yaml b/applications/base/services/kyverno/default-ruleset/disallow-host-process.yaml
@@ -16,8 +16,8 @@ metadata:
       access to the Windows node. Privileged access to the host is disallowed in the baseline
       policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
       the `hostProcess` field, if present, is set to `false`.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -32,9 +32,9 @@ spec:
     - name: host-process-containers
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-privileged-containers.yaml b/applications/base/services/kyverno/default-ruleset/disallow-privileged-containers.yaml
@@ -14,8 +14,8 @@ metadata:
     policies.kyverno.io/description: >-
       Privileged mode disables most security mechanisms and must not be allowed. This policy
       ensures Pods do not call for privileged mode.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -30,9 +30,9 @@ spec:
     - name: privileged-containers
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-proc-mount.yaml b/applications/base/services/kyverno/default-ruleset/disallow-proc-mount.yaml
@@ -16,8 +16,8 @@ metadata:
       ensures nothing but the default procMount can be specified. Note that in order for users
       to deviate from the `Default` procMount requires setting a feature gate at the API
       server.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -32,9 +32,9 @@ spec:
     - name: check-proc-mount
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/disallow-selinux.yaml b/applications/base/services/kyverno/default-ruleset/disallow-selinux.yaml
@@ -14,8 +14,8 @@ metadata:
     policies.kyverno.io/description: >-
       SELinux options can be used to escalate privileges and should not be allowed. This policy
       ensures that the `seLinuxOptions` field is undefined.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -30,9 +30,9 @@ spec:
     - name: selinux-type
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
@@ -61,9 +61,9 @@ spec:
     - name: selinux-user-role
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/kustomization.yaml b/applications/base/services/kyverno/default-ruleset/kustomization.yaml
@@ -14,7 +14,6 @@ resources:
   - "disallow-selinux.yaml"
   - "require-run-as-non-root-user.yaml"
   - "require-run-as-nonroot.yaml"
-  - "require-run-as-nonroot.yaml"
   - "restrict-apparmor-profiles.yaml"
   - "restrict-seccomp-strict.yaml"
   - "restrict-seccomp.yaml"
diff --git a/applications/base/services/kyverno/default-ruleset/restrict-apparmor-profiles.yaml b/applications/base/services/kyverno/default-ruleset/restrict-apparmor-profiles.yaml
@@ -17,8 +17,8 @@ metadata:
       The default policy should prevent overriding or disabling the policy, or restrict
       overrides to an allowed set of profiles. This policy ensures Pods do not
       specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -33,9 +33,9 @@ spec:
     - name: app-armor
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/default-ruleset/restrict-seccomp.yaml b/applications/base/services/kyverno/default-ruleset/restrict-seccomp.yaml
@@ -15,8 +15,8 @@ metadata:
       The seccomp profile must not be explicitly set to Unconfined. This policy,
       requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
       set to `RuntimeDefault` or `Localhost`.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -31,9 +31,9 @@ spec:
     - name: check-seccomp
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
@@ -50,14 +50,14 @@ spec:
               =(seccompProfile):
                 =(type): "RuntimeDefault | Localhost"
             =(ephemeralContainers):
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"
             =(initContainers):
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"
             containers:
-            - =(securityContext):
-                =(seccompProfile):
-                  =(type): "RuntimeDefault | Localhost"
+              - =(securityContext):
+                  =(seccompProfile):
+                    =(type): "RuntimeDefault | Localhost"
diff --git a/applications/base/services/kyverno/default-ruleset/restrict-sysctls.yaml b/applications/base/services/kyverno/default-ruleset/restrict-sysctls.yaml
@@ -18,8 +18,8 @@ metadata:
       Pod, and it is isolated from other Pods or processes on the same Node.
       This policy ensures that only those "safe" subsets can be specified in
       a Pod.
-    
-  labels: 
+
+  labels:
     app.kubernetes.io/component: kyverno
     app.kubernetes.io/instance: kyverno-policies
     app.kubernetes.io/managed-by: Helm
@@ -34,9 +34,9 @@ spec:
     - name: check-sysctls
       match:
         any:
-        - resources:
-            kinds:
-              - Pod
+          - resources:
+              kinds:
+                - Pod
       validate:
         failureAction: Audit
         allowExistingViolations: true
diff --git a/applications/base/services/kyverno/policy-engine/helm-values/hardened-values-3.6.0.yaml b/applications/base/services/kyverno/policy-engine/helm-values/hardened-values-3.6.0.yaml
@@ -774,10 +774,10 @@ features:
 admissionController:
   autoscaling:
     # -- Enable horizontal pod autoscaling
-    enabled: false
+    enabled: true
 
     # -- Minimum number of pods
-    minReplicas: 1
+    minReplicas: 3
 
     # -- Maximum number of pods
     maxReplicas: 10
@@ -995,10 +995,10 @@ admissionController:
   podDisruptionBudget:
     # -- Enable PodDisruptionBudget.
     # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
-    enabled: false
+    enabled: true
     # -- Configures the minimum available pods for disruptions.
     # Cannot be used if `maxUnavailable` is set.
-    minAvailable: 1
+    minAvailable: 2
     # -- Configures the maximum unavailable pods for disruptions.
     # Cannot be used if `minAvailable` is set.
     maxUnavailable:
@@ -1450,7 +1450,7 @@ backgroundController:
   podDisruptionBudget:
     # -- Enable PodDisruptionBudget.
     # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
-    enabled: false
+    enabled: true
     # -- Configures the minimum available pods for disruptions.
     # Cannot be used if `maxUnavailable` is set.
     minAvailable: 1
@@ -1781,7 +1781,7 @@ cleanupController:
   podDisruptionBudget:
     # -- Enable PodDisruptionBudget.
     # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
-    enabled: false
+    enabled: true
     # -- Configures the minimum available pods for disruptions.
     # Cannot be used if `maxUnavailable` is set.
     minAvailable: 1
@@ -2083,7 +2083,7 @@ reportsController:
   podDisruptionBudget:
     # -- Enable PodDisruptionBudget.
     # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
-    enabled: false
+    enabled: true
     # -- Configures the minimum available pods for disruptions.
     # Cannot be used if `maxUnavailable` is set.
     minAvailable: 1
