fix(ci): Add Kyverno CI Lint

.kyverno/_apps.yaml

@@ -0,0 +1,276 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+pod:
+  - resource: "mariadb"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "postgresql"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "clamav-simple"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "redis-master"
+    kind: "StatefulSet"
+    app: "services"
+  - resource: "ums-store-dav"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-ldap-server"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-ldap-notifier"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-portal-listener"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-selfservice-listener"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-provisioning-nats"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-management-api"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-management-ui"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-guardian-authorization-api"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "ums-open-policy-agent"
+    kind: "StatefulSet"
+    app: "univention-management-stack"
+  - resource: "open-xchange-core-mw-default"
+    kind: "StatefulSet"
+    app: "open-xchange"
+  - resource: "jitsi-prosody"
+    kind: "StatefulSet"
+    app: "jitsi"
+  - resource: "opendesk-synapse"
+    kind: "StatefulSet"
+    app: "element"
+  - resource: "xwiki"
+    kind: "StatefulSet"
+    app: "xwiki"
+  - resource: "ox-connector"
+    kind: "StatefulSet"
+    app: "provisioning"
+  - resource: "minio"
+    kind: "Deployment"
+    app: "services"
+  - resource: "memcached"
+    kind: "Deployment"
+    app: "services"
+  - resource: "postfix"
+    kind: "Deployment"
+    app: "services"
+  - resource: "ums-keycloak"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-stack-gateway"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-udm-rest-api"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-portal-server"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-notifications-api"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-portal-frontend"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-umc-gateway"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-umc-server"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-provisioning-nats-box"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-extensions-handler"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-extensions-proxy"
+    kind: "Deployment"
+    app: "univention-management-stack"
+  - resource: "intercom-service"
+    kind: "Deployment"
+    app: "intercom-service"
+  - resource: "dovecot"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-documentconverter"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-guidedtours"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-imageconverter"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-gotenberg"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui-middleware"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui-middleware-updater"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-core-user-guide"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-guard-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-nextcloud-integration-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "open-xchange-public-sector-ui"
+    kind: "Deployment"
+    app: "open-xchange"
+  - resource: "opendesk-nextcloud-apache2"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "opendesk-nextcloud-exporter"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "opendesk-nextcloud-php"
+    kind: "Deployment"
+    app: "nextcloud"
+  - resource: "collabora"
+    kind: "Deployment"
+    app: "collabora"
+  - resource: "jitsi-jibri"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-jicofo"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-jvb"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-web"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "jitsi-opendesk-jitsi-keycloak-adapter"
+    kind: "Deployment"
+    app: "jitsi"
+  - resource: "opendesk-element"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-well-known"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-synapse-web"
+    kind: "Deployment"
+    app: "element"
+  - resource: "opendesk-matrix-user-verification-service"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neoboard-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neochoice-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neodatefix-widget"
+    kind: "Deployment"
+    app: "element"
+  - resource: "matrix-neodatefix-bot"
+    kind: "Deployment"
+    app: "element"
+  - resource: "openproject-web"
+    kind: "Deployment"
+    app: "openproject"
+  - resource: "openproject-worker"
+    kind: "Deployment"
+    app: "openproject"
+  - resource: "mariadb-bootstrap"
+    kind: "Job"
+    app: "services"
+  - resource: "postgresql-bootstrap"
+    kind: "Job"
+    app: "services"
+  - resource: "minio-provisioning"
+    kind: "Job"
+    app: "services"
+  - resource: "ums-stack-data-ums-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "ums-stack-data-swp-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "ums-keycloak-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "opendesk-keycloak-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "univention-management-stack"
+  - resource: "opendesk-open-xchange-bootstrap"
+    kind: "Job"
+    app: "open-xchange"
+  - resource: "opendesk-nextcloud-management-1"
+    kind: "Job"
+    app: "nextcloud"
+  - resource: "jitsi-opendesk-jitsi"
+    kind: "Job"
+    app: "jitsi"
+  - resource: "opendesk-matrix-user-verification-service-bootstrap"
+    kind: "Job"
+    app: "element"
+  - resource: "matrix-neodatefix-bot-bootstrap"
+    kind: "Job"
+    app: "element"
+  - resource: "opendesk-openproject-bootstrap-bootstrap-1"
+    kind: "Job"
+    app: "openproject-bootstrap"
+#  # Has timestamp in resource name - not supported yet.
+#  - resource: "openproject-seeder-*"
+#    kind: "Job"
+#  - resource: "ums-store-dav-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-udm-rest-api-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-portal-server-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-notifications-api-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-portal-frontend-test-connection"
+#    kind: "Pod"
+#  - resource: "ums-provisioning-nats-test-request-reply"
+#    kind: "Pod"
+#  - resource: "ums-provisioning-provisioning-api-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-guidedtours-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-gotenberg-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-core-user-guide-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-guard-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-nextcloud-integration-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "open-xchange-public-sector-ui-test-connection"
+#    kind: "Pod"
+#  - resource: "jitsi-prosody-test-connection"
+#    kind: "Pod"
+#  - resource: "jitsi-web-test-connection"
+#    kind: "Pod"
+#  - resource: "openproject-test-connection"
+#    kind: "Pod"
+...

.kyverno/policies/_policies.yaml

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+pod:
+  - name: "require-tag-and-digest"
+    rule: "require-tag-and-digest"
+    type: "required"
+  - name: "disallow-default-serviceaccount"
+    rule: "require-sa"
+    type: "required"
+  - name: "require-imagepullsecrets"
+    rule: "require-imagepullsecrets"
+    type: "required"
+  - name: "disallow-latest-tag"
+    rule: "validate-image-tag"
+    type: "required"
+  - name: "require-imagepullpolicy-always"
+    rule: "require-imagepullpolicy-always"
+    type: "required"
+  - name: "require-health-and-liveness-check"
+    rule: "require-health-and-liveness-check"
+    type: "required"
+    excludeKinds:
+      - "Job"
+  - name: "require-requests-limits"
+    rule: "validate-resources"
+    type: "required"
+  - name: "restrict-image-registries"
+    rule: "validate-registries"
+    type: "required"
+  - name: "require-containersecuritycontext"
+    rule: "require-ro-rootfs"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privilege-escalation"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-all-capabilities-dropped"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privileged"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-user"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-group"
+    type: "optional"
+  - name: "require-containersecuritycontext"
+    rule: "require-seccomp-profile"
+    type: "required"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-non-root"
+    type: "optional"
+...

.kyverno/policies/disallow-default-serviceaccount.yaml

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-default-serviceaccount"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-sa"
+      validate:
+        message: "serviceAccountName must be set to anything other than 'default'."
+        pattern:
+          spec:
+            serviceAccountName: "!default"
+  validationFailureAction: "audit"
+...

.kyverno/policies/disallow-latest-tag.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-latest-tag"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-image-tag"
+      validate:
+        message: "Using a mutable image tag e.g. 'latest' is not allowed."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "!*:latest"
+            =(initContainers):
+              - image: "!*:latest"
+            containers:
+              - image: "!*:latest"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-containersecuritycontext.yaml

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-containersecuritycontext"
+spec:
+  background: true
+  rules:
+    - name: "require-ro-rootfs"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Root filesystem must be read-only."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            =(initContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            containers:
+              - securityContext:
+                  readOnlyRootFilesystem: true
+
+    - name: "require-no-privilege-escalation"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privilege escalation."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            =(initContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            containers:
+              - securityContext:
+                  allowPrivilegeEscalation: false
+
+    - name: "require-all-capabilities-dropped"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Required to drop ALL linux capabilities."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            =(initContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            containers:
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+
+    - name: "require-no-privileged"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privileged container."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  privileged: false
+            =(initContainers):
+              - securityContext:
+                  privileged: false
+            containers:
+              - securityContext:
+                  privileged: false
+
+    - name: "require-run-as-user"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root user."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            containers:
+              - securityContext:
+                  runAsUser: ">0"
+
+    - name: "require-run-as-group"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root group."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            containers:
+              - securityContext:
+                  runAsGroup: ">0"
+
+    - name: "require-seccomp-profile"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must have seccompProfile"
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            =(initContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            containers:
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+
+    - name: "require-run-as-non-root"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run in non-root mode."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            =(initContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            containers:
+              - securityContext:
+                  runAsNonRoot: true
+
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-health-and-liveness-check.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-health-and-liveness-check"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-health-and-liveness-check"
+      validate:
+        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
+          must be set to a value greater than 0."
+        pattern:
+          spec:
+            containers:
+              - livenessProbe:
+                  periodSeconds: ">0"
+                readinessProbe:
+                  periodSeconds: ">0"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-imagepullpolicy-always.yaml

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullpolicy-always"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullpolicy-always"
+      validate:
+        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              =(initContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              containers:
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+          - spec:
+              =(ephemeralContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              =(initContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              containers:
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-imagepullsecets.yaml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullsecrets"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullsecrets"
+      validate:
+        message: "ImagePullSecrets are required."
+        pattern:
+          spec:
+            imagePullSecrets:
+              - name: "*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-requests-limits.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-requests-limits"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-resources"
+      validate:
+        message: "CPU and memory resource requests and limits are required."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-tag-and-digest.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-tag-and-digest"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-tag-and-digest"
+      validate:
+        message: "An image tag and digest required."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "*:*@sha256:*"
+            =(initContainers):
+              - image: "*:*@sha256:*"
+            containers:
+              - image: "*:*@sha256:*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/restrict-image-registries.yaml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "restrict-image-registries"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-registries"
+      validate:
+        message: "Unknown image registry."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            =(initContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            containers:
+              - image: "external-registry.souvap-univention.de/*"
+  validationFailureAction: "audit"
+...