Skip to main content

Policies Enforcer

This guide will help you to deploy Kosmos Policies Enforcer with default rules.

  # for now only usefull for default deny network policy
  # on namespace creation
  - name: policy-engine
    namespace: kosmos-policy
    createNamespace: true
    labels:
      core: true
    chart: ../../kpolicies/kyverno
    values:
      - ../../kpolicies/values-min.yaml
    hooks:
      - events: ["postsync"]
        showlogs: true
        command: "kubectl"
        args:
          - "apply"
          - "-f"
          - ../../kpolicies/policy-enforce-netpol.yaml

This Helmfile snippet is used to deploy a Helm chart (kyverno) for a policy engine. Let’s break it down:

1. Release Definition

- name: policy-engine
  • This Helm release is named policy-engine.

2. Namespace Configuration

  namespace: kosmos-policy
  createNamespace: true
  • The Helm release will be deployed in the kosmos-policy namespace.
  • createNamespace: true ensures the namespace is created if it does not already exist.

3. Labels

  labels:
    core: true
  • Labels are metadata used for identification and organization.

4. Helm Chart

  chart: ../../kpolicies/kyverno
  • The chart being deployed is located at ../../kpolicies/kyverno.
  • This implies it is a local Helm chart rather than one from a remote Helm repository.

5. Values File

  values:
    - ../../kpolicies/values-min.yaml
  • The deployment will use values from the file values-min.yaml located in ../../kpolicies/.
  • This file likely contains custom configurations for the Kyverno policy engine.

6. Post-Deployment Hook

  hooks:
    - events: ["postsync"]
      showlogs: true
      command: "kubectl"
      args:
        - "apply"
        - "-f"
        - ../../kpolicies/policy-enforce-netpol.yaml
  • This hook runs after Helm synchronization (postsync), meaning it executes once the Helm deployment is complete.
  • showlogs: true → Ensures logs are displayed for debugging.
  • Command: kubectl apply -f ../../kpolicies/policy-enforce-netpol.yaml
    • This applies a Kubernetes NetworkPolicy (stored in policy-enforce-netpol.yaml) after the Kyverno deployment is completed.

Summary

  • Deploys Kyverno (a Kubernetes policy engine) using Helm.
  • Uses custom values from values-min.yaml.
  • Ensures deployment happens in the kosmos-policy namespace (created if needed).
  • After deployment, it applies additional network policies for enforcement.

🚀 Effectively, this Helmfile sets up an automated policy enforcement system using Kyverno and applies security policies post-deployment.