kyverno/config/dryrun/dryrun_rbac.yaml

# Additional permission is required to enable DryRun.
# If using DryRun to validate yaml, please deploy this Role/RoleBinding.
# If validating custom resources with DryRun, please add the resources to the role.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: manifest-verify-dry-run
  namespace: kyverno
rules:
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - bindings
  - configmaps
  - limitranges
  - persistentvolumeclaims
  - pods
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - secrets
  - serviceaccounts
  - services
  verbs:
  - create
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - create 
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - create
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manifest-verify-dry-run
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: manifest-verify-dry-run
subjects:
- kind: ServiceAccount
  name: kyverno-service-account
  namespace: kyverno
Yaml signing and verification (#4235) * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-08-31 02:14:54 +09:00			`# Additional permission is required to enable DryRun.`
			`# If using DryRun to validate yaml, please deploy this Role/RoleBinding.`
			`# If validating custom resources with DryRun, please add the resources to the role.`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: manifest-verify-dry-run`
			`namespace: kyverno`
			`rules:`
			`- apiGroups:`
			`- rbac.authorization.k8s.io`
			`resources:`
			`- roles`
			`- rolebindings`
			`verbs:`
			`- create`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- bindings`
			`- configmaps`
			`- limitranges`
			`- persistentvolumeclaims`
			`- pods`
			`- podtemplates`
			`- replicationcontrollers`
			`- resourcequotas`
			`- secrets`
			`- serviceaccounts`
			`- services`
			`verbs:`
			`- create`
			`- apiGroups:`
			`- apps`
			`resources:`
			`- controllerrevisions`
			`- daemonsets`
			`- deployments`
			`- replicasets`
			`- statefulsets`
			`verbs:`
			`- create`
			`- apiGroups:`
			`- networking.k8s.io`
			`resources:`
			`- networkpolicies`
			`- ingresses`
			`verbs:`
			`- create`
			`- apiGroups:`
			`- policy`
			`resources:`
			`- poddisruptionbudgets`
			`verbs:`
			`- create`
			`- apiGroups:`
			`- storage.k8s.io`
			`resources:`
			`- csistoragecapacities`
			`verbs:`
			`- create`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: manifest-verify-dry-run`
			`namespace: kyverno`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: manifest-verify-dry-run`
			`subjects:`
			`- kind: ServiceAccount`
			`name: kyverno-service-account`
			`namespace: kyverno`