From 2d35d72a53e41568390e3c78e5fc140733c45412 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 22 May 2026 15:17:16 +0000 Subject: [PATCH] kyverno(wave1): add 7 missing registries to trusted-registries allowlist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Discovered via W1.5 enforcement when querying live cluster state: PolicyViolation events on 5 deployments (council-complaints, ebook2audiobook, hermes-agent, netbox, whisper/piper) trying to admit images from registries not in the original enumeration. Added entries: - amruthpillai/* (resume — reactive-resume) - athomasson2/* (ebook2audiobook) - netboxcommunity/* (netbox) - nousresearch/* (hermes-agent) - opentripplanner/* (osm-routing) - rhasspy/* (whisper, piper) - registry.viktorbarzin.me/* (legacy private registry — council-complaints still references; should migrate to forgejo) The legacy registry.viktorbarzin.me was supposedly decommissioned 2026-05-07 per CLAUDE.md but council-complaints still uses it — separate cleanup task. ## Verification - kubectl delete + reapply (kubectl_manifest resourceVersion=0 patch gotcha, same as 2026-05-18 inject-keel-annotations) - Dry-run admission of previously-blocked images now PASS: - netboxcommunity/netbox:v4.5.0-beta1 ✓ - rhasspy/wyoming-whisper:3.1.0 ✓ - registry.viktorbarzin.me/council-complaints:1c56f8f ✓ - Policy still in Enforce mode ## Observation status (W1.6) - Calico GNP wave1-egress-observe-tier34 still applied, 82 ns selected - Loki `{job="node-journal"} |~ "calico-packet"` returns ~5000 lines/hour - No errors from observation infrastructure Co-Authored-By: Claude Opus 4.7 --- .../modules/kyverno/security-policies.tf | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/stacks/kyverno/modules/kyverno/security-policies.tf b/stacks/kyverno/modules/kyverno/security-policies.tf index 7f11007d..bd508400 100644 --- a/stacks/kyverno/modules/kyverno/security-policies.tf +++ b/stacks/kyverno/modules/kyverno/security-policies.tf @@ -328,21 +328,30 @@ resource "kubectl_manifest" "policy_require_trusted_registries" { "docker.n8n.io/*", "registry.gitlab.com/*", # Private "forgejo.viktorbarzin.me/*", "10.0.20.10*", + # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md + # but council-complaints still references — migrate to Forgejo). + "registry.viktorbarzin.me/*", # DockerHub library (bare image names without slash) "alpine*", "busybox*", "kong*", "mysql*", "nginx*", "postgres*", "python*", # DockerHub user repos (no registry prefix, has slash) — - # enumerated from current cluster state. - "actualbudget/*", "afadil/*", "binwiederhier/*", "bitnami/*", + # enumerated from current cluster state. New entries added + # 2026-05-22 after Enforce caught these as unallowlisted: + # amruthpillai (resume), athomasson2 (ebook2audiobook), + # netboxcommunity (netbox), nousresearch (hermes-agent), + # opentripplanner (osm-routing), rhasspy (whisper/piper). + "actualbudget/*", "afadil/*", "amruthpillai/*", "athomasson2/*", + "binwiederhier/*", "bitnami/*", "clickhouse/*", "cloudflare/*", "coturn/*", "crowdsecurity/*", "curlimages/*", "deluan/*", "dgtlmoon/*", "dolthub/*", "dpage/*", "dperson/*", "edoburu/*", "esanchezm/*", "freikin/*", "freshrss/*", "hackmdio/*", "hashicorp/*", "headscale/*", "jhonderson/*", "kebe/*", "library/*", "lissy93/*", "louislam/*", "matrixdotorg/*", "mendhak/*", - "mghee/*", "mindflavor/*", "mpepping/*", "netsampler/*", - "nvidia/*", "onlyoffice/*", "openresty/*", "owntracks/*", + "mghee/*", "mindflavor/*", "mpepping/*", "netboxcommunity/*", + "netsampler/*", "nousresearch/*", "nvidia/*", "onlyoffice/*", + "openresty/*", "opentripplanner/*", "owntracks/*", "phpipam/*", "phpmyadmin/*", "privatebin/*", "prom/*", - "prompve/*", "rancher/*", "roundcube/*", "sclevine/*", + "prompve/*", "rancher/*", "rhasspy/*", "roundcube/*", "sclevine/*", "shadowsocks/*", "shlinkio/*", "stirlingtools/*", "technitium/*", "teddysun/*", "temporalio/*", "typhonragewind/*", "tzahi12345/*", "vabene1111/*",