build: add kyverno test pre-commit

.pre-commit-config.yaml

@@ -128,4 +128,9 @@ repos:
   #         - "--server"
   #         - "https://git.knut.univention.de"
 
+  - repo: "https://git.knut.univention.de/univention/customers/dataport/upx/kyverno-test-pre-commit"
+    rev: "v0.1.0"
+    hooks:
+      - id: "kyverno-test"
+
 ...

helm/stack-data-ums/.kyverno/kyverno-test.yaml.jinja2

@@ -0,0 +1,88 @@
+## SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+## SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "cli.kyverno.io/v1alpha1"
+kind: "Test"
+metadata:
+  name: "nubus-test"
+policies:
+  - "{{ policies_base_path }}/disallow-container-sock-mounts.yaml"
+  - "{{ policies_base_path }}/disallow-default-serviceaccount.yaml"
+  - "{{ policies_base_path }}/disallow-host-namespaces.yaml"
+  - "{{ policies_base_path }}/disallow-host-path.yaml"
+  - "{{ policies_base_path }}/disallow-host-ports.yaml"
+  - "{{ policies_base_path }}/disallow-host-process.yaml"
+  - "{{ policies_base_path }}/disallow-latest-tag.yaml"
+  - "{{ policies_base_path }}/require-containersecuritycontext.yaml"
+  - "{{ policies_base_path }}/require-health-and-liveness-check.yaml"
+  - "{{ policies_base_path }}/require-imagepullpolicy.yaml"
+  - "{{ policies_base_path }}/require-requests-limits.yaml"
+  - "{{ policies_base_path }}/require-tag-and-digest.yaml"
+  - "{{ policies_base_path }}/template-image-registries.yaml"
+  - "{{ policies_base_path }}/template-ingress.yaml"
+  - "{{ policies_base_path }}/template-replicas.yaml"
+  - "{{ policies_base_path }}/template-require-imagepullsecets.yaml"
+  - "{{ policies_base_path }}/template-storage.yaml"
+resources:
+  - "manifest.yaml"
+results:
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "disallow-default-serviceaccount"
+    kind: "Job"
+    rule: "disallow-default-serviceAccountName"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-ro-rootfs"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-no-privilege-escalation"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-all-capabilities-dropped"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-no-privileged"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-run-as-user"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-run-as-group"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-seccomp-profile"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-run-as-non-root"
+    result: "pass"
+  - resources:
+      - "release-name-stack-data-ums-1"
+    policy: "require-containersecuritycontext"
+    kind: "Job"
+    rule: "require-empty-seLinuxOptions"
+    result: "pass"

helm/stack-data-ums/.kyverno/values-kyverno.yaml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: AGPL-3.0-only
+# SPDX-FileCopyrightText: 2024 Univention GmbH
+---
+
+imagePullSecrets:
+  - "kyverno-test"
+replicaCount: 42
+
+global:
+  imageRegistry: "my_private_registry.domain.tld"
+  imagePullSecrets:
+    - "kyverno-test"
+  imagePullPolicy: "kyverno"
+
+...