Add the kyverno polices as a reference (#624)

* Add the kyverno polices verbatim

Just as a reference, the links are still ded

* Add messages bits

* Add 011, the kafkarator policy

* Add a preamble

* fix some links

* Add tags for kyverno

* use links from the issue

* Remember to say please

* chore: move to correct folder

* Add Redis reference section

* Make an explicit how-to for manual redis instances

* Harmonize redis and opensearch

* Redis and postgres are similar enough for one section

* Chore: do a format

* s/openSe/opense

* Add an example for environment keys

* Unbreak tables

* Capitalize

* Aiven is an implementation detail I

* Use OpenSearch & Redis instead of Aiven

* remove opensearch bits from the aivenesque docs

since we do not create opensearch automatically

* un-harmonize redis and opensearch

unfortunately

* re-add opensearch create

Author: Reasonable-Solutions

docs/explanation/naisdevice.md

@@ -1,6 +1,6 @@
-# naisdevice
+# Naisdevice
 
-naisdevice is a mechanism provided by NAIS, that lets you connect to services not available on the public internet from your machine.
+Naisdevice is a mechanism provided by NAIS, that lets you connect to services not available on the public internet from your machine.
 
 Examples of such services are:
 

docs/how-to-guides/persistence/.pages

@@ -1,4 +1,5 @@
 nav:
   - buckets
   - kafka
-  - ...
+  - opensearch
+  - redis

docs/how-to-guides/persistence/opensearch/.pages

@@ -1,7 +1,5 @@
-# OpenSearch
-
 OpenSearch is a fork of Elasticsearch that is maintained by Amazon. It is a drop-in replacement for Elasticsearch, and is fully compatible with the Elasticsearch API. It is a community-driven project that is open source and free to use.
 
 OpenSearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. It is a good choice for storing data that is not relational in nature.
 
-NAIS offers OpenSearch via [Aiven](https://aiven.io/). Aiven OpenSearch can be used by applications in all environments, but must be *defined* in a GCP cluster.
+NAIS offers OpenSearch via Aiven. Aiven OpenSearch can be used by applications in all environments, but must be defined in a GCP cluste

docs/how-to-guides/persistence/opensearch/README.md

@@ -2,11 +2,10 @@
 ---
 description: >-
   NAIS provides managed search index services through OpenSearch as a drop-in
-  replacement for Elasticsearch. This page describes how to get started with
-  OpenSearch for your applications.
+  replacement for Elasticsearch.
 ---
 
-Creating a OpenSearch instance is done by adding a OpenSearch resource to your namespace with detailed configuration in a GCP cluster. In your `Application` or `Naisjob` specifications, you specify an instance and access.
+Explicitly creating a OpenSearch instance is done by adding a OpenSearch resource to your namespace with detailed configuration in a GCP cluster. In your `Application` or `Naisjob` specifications, you specify an instance and access.
 
 The minimal OpenSearch resource looks like this:
 

docs/how-to-guides/persistence/opensearch/create.md

@@ -0,0 +1 @@
+title: Redis

docs/how-to-guides/persistence/redis/.page

@@ -0,0 +1,46 @@
+# Redis
+
+Nais provides Redis through Aiven via their Aiven
+Operator.
+
+You can create many Redis instances for your `Application`.
+
+## 0. Prerequisites
+- [Member of a NAIS team](../../explanation/team.md)
+
+!!! warning It is not possible to share Redis instances between teams.
+
+## 1. Enable Redis in your [manifest](../../reference/application-spec.md)
+
+???+ note ".nais/app.yaml"
+    ```yaml
+    spec:
+      redis:
+        - instance: sessions
+          access: readwrite
+        - instance: lookup
+          access: read
+    ```
+
+
+The above snippet will allow your application to use the `sessions`
+Redis instance, and provide the application with credentials for a
+read/write user. In addition, the application will get credentials for
+a read-only user for the `lookup` instance. See the [manifest
+reference](../../reference/application-spec.md#redis) for other
+options for `access`.
+
+If all you need is a Redis instance for one application using just the
+default settings, this is all you need. If you want to share a Redis
+instance across applications, or want to change configuration away
+from the defaults, please read the [section on explicitly creating
+redis instances](./create-redis-instance-explicitly.md).
+
+For each edis instance, your application will receive
+three environment variables. The environment variables use a fixed
+prefix, and the instance name uppercased as a suffix.
+| Key                              | Value                                |   |
+|----------------------------------|--------------------------------------|---|
+| `REDIS_URI_<InstanceName>`       | The URI for the instance             |   |
+| `REDIS_USERNAME_<InstanceName>`  | The username to use when connecting. |   |
+| `REDIS_PASSWORD_<InstanceName>` | The password to use when connecting. |   |

docs/how-to-guides/persistence/redis/README.md

@@ -1,56 +1,11 @@
-# Redis
-This guide will show you how to install and use redis in your application
-
-## 0. Prerequisites
-- [Member of a NAIS team](../../explanation/team.md)
-
-!!! warning
-    It is not possible to share Redis instances between teams.
-
-## 1. Enable redis in your [manifest](../../reference/application-spec.md#redis)
-
-???+ note ".nais/app.yaml"
-    ```yaml
-    spec:
-      redis:
-        - instance: sessions
-          access: readwrite
-        - instance: lookup
-          access: read
-    ```
-
-
-The above snippet will allow your application to use the `sessions` Redis instance, and provide the application with credentials for a read/write user.
-In addition, the application will get credentials for a read-only user for the `lookup` instance.
-See the reference for other options for `access`.
-
-If all you need is a Redis instance for one application using just the default settings, this is all you need.
-If you want to share a Redis instance across applications, or want to change configuration away from the defaults, read the next section.
-
-For each instance added to this list, your application will receive three environment variables.
-The environment variables use a fixed prefix, and the instance name uppercased as a suffix.
-
-Example for the sessions instance used above:
-(TODO: how do we fix this for non-nav=)
-
-| Key                     | Value                                                                                                                                        |
-|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
-| REDIS_URI_SESSIONS      | The URI for the Redis instance, typically with a `rediss` scheme. <br/>Example:  `rediss://redis-team-sessions-nav-dev.aivencloud.com:26483` |
-| REDIS_USERNAME_SESSIONS | The username to use when connecting.                                                                                                         |
-| REDIS_PASSWORD_SESSIONS | The password to use when connecting.                                                                                                         |
-
-So far we have used `sessions` as the instance name, but you can name your redis instance what you want with some restrictions.
-
-When you refer to redis in your `Application`, nais will look for a redis instance with the given name, or attempt to create one with default settings if it doesn't exist.
-
-## Creating a Redis instance explicitly
+# Creating a Redis instance explicitly
 
 We recommend creating your Redis instances in their own workflow for more control over configuration, especially if you intend for multiple applications using the same Redis instance, or if you need to change configuration.
 
 Creating a Redis instance is done by adding a Redis resource to your namespace with detailed configuration.
 Some configuration is enforced by the nais platform, while the rest is up to the users.
 
-Earlier we talked about the "instance name". 
+Earlier we talked about the "instance name".
 In reality, the actual name of the redis instance will be `redis-<team name>-<instance name>` (where `team name` is the same as the namespace your application resides in).
 The resource needs to have this full name in order to be accepted.
 
@@ -73,8 +28,8 @@ spec:
 A minimal Redis resource only requires `plan` and `project`.
 
  * `project` should match your nais tenant (`<<tenant()>>`) and the environment you are running in (ex. `dev`, `prod`), with a dash (`-`) in between.
- * `plan` is the Aiven plan for your Redis instance. 
-   See Aivens list of [possible plan values](https://aiven.io/pricing?product=redis). 
+ * `plan` is the Aiven plan for your Redis instance.
+   See Aivens list of [possible plan values](https://aiven.io/pricing?product=redis).
    The values are lowercased.
    Make sure you understand the differences between the plans before selecting the one you need.
    Examples: `startup-4`, `startup-56`, `business-4`, `premium-14`.
@@ -94,11 +49,11 @@ Business plans are backed up every 12 hours, keeping 3 days of backups available
 
 Once the resource is added to the cluster, some additional fields are filled in by the platform and should be left alone unless you have a good reason:
 
-| field                   |                                                                                                       | 
+| field                   |                                                                                                       |
 |-------------------------|-------------------------------------------------------------------------------------------------------|
 | `projectVpcId`          | Ensures the instance is connected to the correct project VPC and is not available on public internet. |
 | `tags`                  | Adds tags to the instance used for tracking billing in Aiven.                                         |
-| `cloudName`             | Where the Redis instance should run.                                                                  |  
+| `cloudName`             | Where the Redis instance should run.                                                                  |
 | `terminationProtection` | Protects the instance against unintended termination. Must be set to `false` before deletion.         |
 
 There are some fields available that should not be used:

docs/how-to-guides/persistence/redis.md docs/how-to-guides/persistence/redis/create-redis-instance-explicitly.md

@@ -0,0 +1,120 @@
+---
+tags:
+  - Kyverno
+---
+
+# Kyverno policies
+
+Nais enforces certain cluster policies using kyverno, in addition to different baseline security
+policies you will also find some custom policies for the nais platform.
+
+## 001 - Add spot toleration
+
+This policy adds a toleration for pods to be deployed to nodes on spot
+instances, for cost reasons.
+
+## 002 - Default allow egress
+
+This policy generates a default allow egress NetworkPolicy for all
+Namespaces. It allows all egress traffic except for RFC 1918 private
+address space. This policy is based on the following Kubernetes
+NetworkPolicy:
+https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-egress
+
+## 003 - Deny image registries
+
+This policy denies images from registries not on the list of allowed
+registries.
+
+### Message
+
+ Image not from an approved registry. Upload the image to an approved registry and try again.
+
+## 004 - Deny creation of Kafka Topics
+
+This policy Denies the creation of Kafka Topics. Documentation:
+https://docs.nais.io/how-to-guides/persistence/kafka/create/
+
+### Message
+
+Kafka Topic resource is not supported in this cluster\nDocumentation: https://docs.nais.io/how-to-guides/persistence/kafka/create/
+
+## 005 - Deny deletion of Kafka topics
+
+This policy Denies the deletion of Kafka topics without the
+kafka.nais.io/removeDataWhenResourceIsDeleted annotation.
+Documentation:
+https://docs.nais.io/how-to-guides/persistence/kafka/delete/
+
+### Message
+
+Deleting Topic is not allowed without the kafka.nais.io/removeDataWhenResourceIsDeleted annotation.\nDocumentation: https://docs.nais.io/how-to-guides/persistence/kafka/delete/
+
+
+## 006 - Deny specific service types
+
+This policy denies the creation of services with types other than ClusterIP and ExternalName.
+This policy is based on the example policy from the Kyverno documentation.
+https://kyverno.io/docs/writing-policies/deny-service-types/
+
+### Message
+
+Service type must be one of ClusterIP or ExternalName in this namespace.
+
+## 007 - Replace legacy GitHub registry
+
+This policy rewrites references to the old GitHub registry (docker.pkg.github.com) with the new one (ghcr.io).
+
+## 008 - Verify SLSA Provenance (Keyless)
+
+This policy uses artifact provenance to identify how an artifact was produced
+and from where it originated. SLSA provenance is an industry-standard
+method of representing that provenance. This policy verifies that an
+image has SLSA provenance and was signed by the expected subject and issuer
+when produced through GitHub Actions. It requires configuration based upon
+your own values.
+
+## 009 - Ephemeral containers with allowed images and limited capabilities
+
+This policies ensures that ephemeral containers use allowed images and have limited capabilities.
+When using 'kubectl debug' please set flag `--profile=restricted`.
+For-example: `kubectl debug -it --image=cgr.dev/chainguard/busybox:latest --profile=restricted`
+
+### Message
+
+The fields spec.ephemeralContainers[*].image requires to be set for allowed image
+see `https://docs.nais.io/basics/debug`.
+Running as root is not allowed. The fields spec.ephemeralContainers[*].securityContext.runAsNonRoot
+must be `true`, and spec.ephemeralContainers[*].securityContext.capabilities.drop
+must be set to `- ALL` to reduce capabilities.
+The use of `kubectl debug` requires to set `--profile=restricted`.
+
+## 010 - Aiven operator
+
+This policy denies invalid names and projects, and missing project vpcs. Please see the documentation at https://docs.nais.io/how-to-guides/persistence/redis#creating-a-redis-instance-explicitly or https://docs.nais.io/how-to-guides/persistence/opensearch/create depending on your usecase.
+
+### message
+
+Invalid name. Please see https://docs.nais.io/how-to-guides/persistence/redis#creating-a-redis-instance-explicitly or https://docs.nais.io/how-to-guides/persistence/opensearch/create"
+
+
+## 011 - Validate fields for Kafka resources.
+
+This policy validates that the fields for the given resources has allowed values.
+Currently only validates the pool field.
+
+### Message
+Kafka pool {{ "{{ request.object.spec.pool }}" | quote }} is not supported in this cluster.
+Allowed values: [{{ $valid | join ", " }}]
+
+Please see the documentation at https://docs.nais.io/how-to-guides/persistence/kafka/create/
+
+
+## 012 - Validate fields for Azure AD resources
+
+This policy validates that Azure AD fields for the given resource has allowed values. Currently only validates the tenant field.
+
+### Message
+
+Azure AD tenant "{{ request.object.spec.tenant }}" is not supported in this cluster. Allowed values: [nav.no]
+Please see the documentation at https://doc.nais.io/security/auth/azure-ad/

docs/reference/kyverno-policies.md

@@ -0,0 +1,28 @@
+---
+tags:
+  - opensearch
+---
+
+# Opensearch
+
+Nais provides OpenSearch by way of Aiven via their Aiven Operator.
+
+
+## Configuration options
+
+The `spec.opensearch` configuration has two fields as you get exactly one OpenSearch instance per Application.
+
+```yaml
+    spec:
+      opensearch:
+        instance: <OpenSearchInstanceName>
+        access: readwrite | read | write | admin
+```
+
+Specifying an OpenSearch instance will yield three environment variables in the Application
+
+| Key                                             | Value                                |
+|-------------------------------------------------|--------------------------------------|
+| `OPEN_SEARCH_URI_<Open_SearchInstanceName>`     | The URI for the OpenSearch instance. |
+| `OPEN_SEARCH_USERNAME_<OpenSearchInstanceName>` | The username to use when connecting. |
+| `OPEN_SEARCH_PASSWORD_<OpenSearchInstanceName>` | The password to use when connecting. |

docs/reference/opensearch.md

@@ -0,0 +1,27 @@
+---
+tags:
+  - redis
+---
+
+# Redis
+
+Nais provides Redis by way of Aiven via their Aiven Operator.
+
+## Configuration options
+
+The `spec.redis` field takes a list of records of two fields, instance and access. Instance is the instance name and access is the access mode.
+
+```yaml
+    spec:
+      redis:
+        - instance: <RedisInstanceName>
+          access: readwrite | read | write | admin
+```
+
+every `<RedisInstanceName> will give three environment variables for the applications to use,
+
+| Key                                | Value                                                                                                                                       |
+|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| `REDIS_URI_<RedisInstanceName>`      | The URI for the Redis instance, typically with a `redis` scheme. <br/>Example:  `rediss://redis-team-sessions-nav-dev.aivencloud.com:26483` |
+| `REDIS_USERNAME_<RedisInstanceName>` | The username to use when connecting.                                                                                                        |
+| `REDIS_PASSWORD_<RedisInstanceName>` | The password to use when connecting.                                                                                                        |

docs/reference/redis.md

@@ -28,7 +28,7 @@
         default =
           let
             # Use Python 3.10
-            python = pkgs.python310;
+            python = pkgs.python311;
           in
           pkgs.mkShell {
             # The Nix packages provided in the environment