rossum/README.md

Rossum - Kyverno policy demo

This example assumes an existing and preconfigured access to k8s api server

Provide environment variables in the workdir as defined in the .envrc.example

anydatacenter directory represents a theoretical structure where the cluster would be located

Root modules

• anydatacenter/10-devops is a terraform root module providing prerequisites for kubernetes resources

• anydatacenter/30-policy-demo is a root module with deployments and policies to demonstrate automated topology spread of k8s pods

The reason for split root modules comes from the chicken or the egg dilemma with kubernetes manifests and CRDs

Because the kubernetes provider validates the manifests against CRDs during planning phase, it is not possible to do a single apply in which CRDs are installed and manifests are produced against those CRDs. Other solution would be using kubectl provider which is more error prone (opinionated statement) and using the kubernetes provider is preferred. This requires either a multi-apply approach (frowned upon!) or splitting root modules and applying one after another.

Policies

Policies are deliberately limited to rossum namespace

Tests

Kyverno tests are defined in the policy root module at ./anydatacenter/30-policy-demo/kyvernoPolicies/tests

Execute with nix and devenv

tests

Execute with kyverno cli

kyverno test ./anydatacenter/30-policy-demo