apps: gatekeeper policy to reject pods without controller

[viktor-f]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• [kind/adr](set-me)

What does this PR do / why do we need this PR?

Adds a policy that can reject the use of pods without any controller/ownerReference (i.e. pods that does not belong to a deployment/daemonset/job/...). This is primarily to avoid situations where the cluster autoscaler cannot scale down a node because it will not evict pods with local storage.

Part of #2318

Information to reviewers

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change updates CRDs
  • The change updates the config and the schema
• Documentation checks:
  • The public documentation required no updates
  • The public documentation required an update - link to change
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
  • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
• Logs checks:
  • The logs do not show any errors after the change
• PodSecurityPolicy checks:
  • Any changed Pod is covered by Kubernetes Pod Security Standards
  • Any changed Pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
• NetworkPolicy checks:
  • Any changed Pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[viktor-f]

Basing this on vf/emptydir-policy for now, to make development easier for me while I'm working on both. Will point this towards main when the first branch is merged.

[Eliastisys]

LGTM, only one small question regarding the annotation

[anders-elastisys]

LGTM, I assume you are already planning on updating this

[viktor-f]

Right, yeah I'm going to write something on the public docs and add the link here.

[lucianvlad]

LGTM
With Anders comment
Would it take long to have that link so we can we merge this and make it part of apps v0.44?

[viktor-f]

PR for public docs update: elastisys/welkin#1050
Updated both the message in the policy and the config schema to include links to public docs.