Terraform Module Template

This Terraform module deploys and manages Kyverno, a Kubernetes native policy management tool, using Helm. It provides customizable options for configuring Kyverno components, such as the admission controller, background controller, and cleanup controller. Additionally, it allows for namespace creation and labeling, ensuring seamless integration with existing Kubernetes clusters.

The module supports a set of basic policies:

• redirecting from Docker Hub to a mirror/cache for image pulls.
• Custom redirects from one registry to another.

If your registry is private you have to give reader permissions to admissioncontroller-sa externally.

As decriberd here you can grant needed permissions using credentials or IAM Roles for Service Accounts (IRSA).

Additional policies will be implemented in future releases.

Providers

Name	Version
helm	>= 2.0
kubectl	>= 1.0
kubernetes	>= 2.3

Requirements

Name	Version
terraform	>= 1.5
helm	>= 2.0
kubectl	>= 1.0
kubernetes	>= 2.3

Inputs

Name	Description	Type	Default	Required
admission_controller_replicas	The number of replicas for the Kyverno admission controller.	number	3	no
admissioncontroller_node_affinity	Node affinity settings for admissioncontroller deployment. Use weight as map key; operator is In and policy is preferredDuringSchedulingIgnoredDuringExecution. If not null, the node_affinity value will be completely overwritten for the admissioncontroller deployment.	map(object({ key = string values = list(string) }))	null	no
admissioncontroller_sa	The service account for the Kyverno admission controller.	string	"kyverno-admission-controller"	no
admissioncontroller_tolerations	Tolerations for admissioncontroller deployment. If not null will populate the values file admissioncontroller tolerations.	list(object({ key = string operator = string value = string effect = string }))	[]	no
backgroundcontroller_node_affinity	Node affinity settings for backgroundcontroller deployment. Use weight as map key; operator is In and policy is preferredDuringSchedulingIgnoredDuringExecution. If not null, the node_affinity value will be completely overwritten for the backgroundcontroller deployment.	map(object({ key = string values = list(string) }))	null	no
backgroundcontroller_replicas	The number of replicas for the Kyverno background controller.	number	3	no
backgroundcontroller_sa	The service account for the Kyverno background controller.	string	"kyverno-background-controller"	no
backgroundcontroller_tolerations	Tolerations for backgroundcontroller deployment. If not null will populate the values file backgroundcontroller tolerations.	list(object({ key = string operator = string value = string effect = string }))	[]	no
cleanupcontroller_node_affinity	Node affinity settings for cleanupcontroller deployment. Use weight as map key; operator is In and policy is preferredDuringSchedulingIgnoredDuringExecution. If not null, the node_affinity value will be completely overwritten for the cleanupcontroller deployment.	map(object({ key = string values = list(string) }))	null	no
cleanupcontroller_replicas	The number of replicas for the Kyverno cleanup controller.	number	2	no
cleanupcontroller_sa	The service account for the Kyverno cleanup controller.	string	"kyverno-cleanup-controller"	no
cleanupcontroller_tolerations	Tolerations for cleanupcontroller deployment. If not null will populate the values file cleanupcontroller tolerations.	list(object({ key = string operator = string value = string effect = string }))	[]	no
create_namespace	Create namespace for Kyverno. If false, the namespace must be created before using this module.	bool	true	no
custom_registry_policies	Custom configuration for the mutating Kyverno policy. Use the registry URL as the key (e.g.: 'index.docker.io'), registry_title as the name used to create the title in the policy, and registry_remote_mirror as the registry remote mirror URL (e.g.: my.awesome-private-registry.com/my-awesome-namespace).	map(object({ registry_title = string registry_remote_mirror = string description = string }))	{}	no
excluded_namespaces	The list of namespaces to exclude from the Kyverno policies.	list(string)	[]	no
helm_additional_values	Additional values to be passed to the Helm chart.	list(string)	[]	no
helm_chart_version	The version of kyverno Helm chart.	string	"3.3.7"	no
helm_release_name	The name of the Helm release.	string	"kyverno"	no
is_aws	Whether the cluster is on AWS or not. If true, the well known AWS EKS namespaces will be added to the excluded namespaces.	bool	false	no
is_gcp	Whether the cluster is on GCP or not. If true, the well known GCP GKE namespaces will be added to the excluded namespaces.	bool	false	no
k8s_additional_labels	Additional labels to apply to the kubernetes resources.	map(string)	{}	no
k8s_default_labels	Labels to apply to the kubernetes resources. These are opinionated labels, you can add more labels using the variable k8s_additional_labels. If you want to remove a label, you can override it with an empty map(string).	map(string)	{ "managed-by": "terraform", "scope": "kyverno" }	no
namespace	Namespace of Kyverno.	string	n/a	yes
node_affinity	Node affinity settings for Kyverno deployments. Use weight as map key; operator is In and policy is preferredDuringSchedulingIgnoredDuringExecution. This variable configures the node affinity for the admissioncontroller, backgroundcontroller, cleanupcontroller and reportscontroller. If defined, the value of this variable will be completely overwritten by the *_node_affinity configuration specific for each component.	map(object({ key = string values = list(string) }))	null	no
policy_docker_hub_mirror	Values for the mutating Kyverno policy to redirect the DockerHub registry to a mirror/cache registry. Needs only the destination registry url (e.g.: my.awesome-cache-registry.com).	object({ enabled = optional(bool, false) destination_registry = optional(string, "") })	{ "destination_registry": "", "enabled": false }	no
reportscontroller_node_affinity	Node affinity settings for reportscontroller deployment. Use weight as map key; operator is In and policy is preferredDuringSchedulingIgnoredDuringExecution. If not null, the node_affinity value will be completely overwritten for the reportscontroller deployment.	map(object({ key = string values = list(string) }))	null	no
reportscontroller_replicas	The number of replicas for the Kyverno reports controller.	number	2	no
reportscontroller_sa	The service account for the Kyverno reports controller.	string	"kyverno-reports-controller"	no
reportscontroller_tolerations	Tolerations for reportscontroller deployment. If not null will populate the values file reportscontroller tolerations.	list(object({ key = string operator = string value = string effect = string }))	[]	no
tolerations	Tolerations for Kyverno deployments. If not null it will populate the values file global tolerations.	list(object({ key = string operator = string value = string effect = string }))	[]	no

Outputs

Name	Description
admissioncontroller_sa	n/a
backgroundcontroller_sa	n/a
cleanupcontroller_sa	n/a
dockerhub_mirror_registry	n/a
reportscontroller_sa	n/a

Resources

Name	Type
helm_release.kyverno	resource
kubectl_manifest.custom_registry_policies	resource
kubectl_manifest.use_dockerhub_mirror	resource
kubernetes_namespace_v1.this	resource
kubernetes_namespace_v1.this	data source

Modules

No modules.