feat: Kyverno-based cc_init_data injection for OSC 1.12#77
Open
butler54 wants to merge 10 commits intovalidatedpatterns:mainfrom
Open
feat: Kyverno-based cc_init_data injection for OSC 1.12#77butler54 wants to merge 10 commits intovalidatedpatterns:mainfrom
butler54 wants to merge 10 commits intovalidatedpatterns:mainfrom
Conversation
…e 1.1 Replace broken io.katacontainers.config.agent.policy annotation with Kyverno MutatingPolicy that injects cc_init_data from ConfigMaps into pods with kata runtime classes. - Add coco-kyverno-policies chart with MutatingPolicy, ValidatingPolicy, and ClusterPolicy for ConfigMap namespace propagation - Update imperative job to generate both default and debug initdata ConfigMaps with Kyverno validation fields - Update workload pod templates to use coco.io/initdata-configmap annotation instead of inline policy - Update values-simple.yaml: OSC 1.12, Trustee 1.1, Kyverno Helm app - Add conditional memory annotation for non-Azure platforms - Delete insecure-policy.rego (policy now embedded in cc_init_data) BREAKING CHANGE: Requires Kyverno and OSC 1.12 / Trustee 1.1.0 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Temporarily targets butler54/trustee-chart feature/trustee-1.1-compat branch instead of released chart version. Revert to chart: trustee + chartVersion: 0.2.* after trustee-chart PR is merged and released. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cloud platforms (Azure/AWS) use "kata" runtime class for peer-pods while baremetal uses "kata-cc" for confidential containers. Updates Kyverno MutatingPolicy to explicitly match both classes instead of startsWith, and adds ServerSideApply syncPolicy for Kyverno CRDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ACM owns the policyreports.wgpolicyk8s.io CRD with v1beta1 as a stored version. Kyverno's version drops v1beta1, causing a storage migration error. Disable Kyverno's policyreport CRD installation since ACM already provides it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… CRDs The Kyverno chart validates that reportsController and policyreport CRDs are consistent. Since ACM owns the policyreport CRDs and we disabled their installation, we must also disable the reportsController. Mutation and validation policies still work without it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace bare Pod templates with Deployments (replicas: 1) in hello-openshift and kbs-access charts. Update the Kyverno MutatingPolicy to target Deployments instead of Pods since the policies.kyverno.io/v1 API does not support autogen and confidential pods can't be easily mutated. Add generateExisting to namespace propagation ClusterPolicies and enable ArgoCD pruning to clean up old Pod resources. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bare Pods ran under kube:admin with anyuid SCC, but Deployment-created pods use the default ServiceAccount which only has restricted-v2 SCC. Remove the fixed runAsUser: 1001 and let OpenShift assign a UID from the namespace range. runAsNonRoot: true ensures non-root execution. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The policies.kyverno.io/v1 MutatingPolicy API doesn't support ConfigMap lookups (namespaceObject.get is not available). Switch to kyverno.io/v1 ClusterPolicy which supports configMap context lookups and has autogen for Deployments/StatefulSets/DaemonSets/Jobs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The kata runtime class runs a local QEMU VM without CDH. Cloud peer-pods require kata-remote to spawn a VM in Azure/AWS with CDH available at 127.0.0.1:8006. Also add kata-remote to the Kyverno ClusterPolicy match list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Chris Butler <chris.butler@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cc_init_datainto pods with kata runtime classes, replacing brokenio.katacontainers.config.agent.policyannotationimperativenamespace to workload namespacesvalues-simple.yaml: OSC 1.12.0, Trustee 1.1.0, Kyverno Helm chart, OpenShift SCC overridesfeature/trustee-1.1-compatbranch (revert after trustee-chart PR merged)Three initdata modes
coco.io/initdata-configmap: initdatacoco.io/initdata-configmap: debug-initdatacc_init_dataannotationDependencies
Test plan
main.clusterGroupName: simpleon Azurekyvernonamespaceoc get mpol,vpol,cpolinitdataanddebug-initdataConfigMaps createdhello-openshiftandkbs-accessnamespacesio.katacontainers.config.hypervisor.cc_init_datainjectedcoco.io/initdata-configmap: debug-initdatacc_init_data, nococo.ioannotation → no mutationchart: trustee+chartVersion: 0.2.*after trustee-chart release🤖 Generated with Claude Code