1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/definitions/install.yaml

733 lines
19 KiB
YAML
Raw Normal View History

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
versions:
2019-11-13 21:41:28 +00:00
- name: v1
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
singular: clusterpolicy
shortNames:
- cpol
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
2020-04-12 13:28:55 +00:00
status: {}
spec:
required:
- rules
properties:
2019-07-18 17:22:20 +00:00
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creation and reports the failed validation rules as violations. Default
2020-02-18 22:55:12 +00:00
background:
type: boolean
rules:
type: array
items:
type: object
required:
- name
2020-04-27 06:17:33 +00:00
- match
2019-05-21 21:37:54 +00:00
properties:
name:
type: string
2019-07-24 03:34:03 +00:00
match:
type: object
required:
2019-07-24 03:34:03 +00:00
- resources
2019-05-21 21:37:54 +00:00
properties:
2019-11-12 02:52:39 +00:00
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
Namespace:
type: string
2019-07-24 03:34:03 +00:00
resources:
type: object
minProperties: 1
properties:
2019-07-24 03:34:03 +00:00
kinds:
type: array
items:
2019-07-24 03:34:03 +00:00
type: string
name:
type: string
2019-08-17 16:59:13 +00:00
namespaces:
type: array
items:
type: string
2019-07-24 03:34:03 +00:00
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
2019-07-24 03:34:03 +00:00
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
properties:
2019-11-12 02:52:39 +00:00
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
Namespace:
type: string
2019-07-24 03:34:03 +00:00
resources:
type: object
properties:
kinds:
type: array
items:
type: string
name:
type: string
2019-08-19 18:54:25 +00:00
namespaces:
type: array
items:
type: string
2019-07-24 03:34:03 +00:00
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
2019-07-24 03:34:03 +00:00
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test
2020-01-07 23:13:57 +00:00
preconditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
mutate:
type: object
properties:
overlay:
AnyValue: {}
patches:
type: array
items:
type: object
required:
- path
- op
properties:
path:
type: string
op:
type: string
enum:
- add
- replace
- remove
value:
AnyValue: {}
validate:
type: object
properties:
message:
type: string
pattern:
AnyValue: {}
2019-08-21 00:56:02 +00:00
anyPattern:
AnyValue: {}
2020-04-14 13:36:48 +00:00
deny:
2020-04-18 12:56:09 +00:00
properties:
conditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
generate:
2019-05-21 21:37:54 +00:00
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
2020-04-02 16:48:26 +00:00
namespace:
type: string
clone:
2019-05-21 21:37:54 +00:00
type: object
required:
- namespace
- name
properties:
namespace:
type: string
2019-05-21 21:37:54 +00:00
name:
type: string
2019-05-21 21:37:54 +00:00
data:
2019-06-01 00:59:36 +00:00
AnyValue: {}
---
2019-08-22 19:48:27 +00:00
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
2019-08-22 19:48:27 +00:00
spec:
group: kyverno.io
versions:
2019-11-13 21:41:28 +00:00
- name: v1
2019-08-22 19:48:27 +00:00
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
singular: clusterpolicyviolation
shortNames:
- cpolv
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
2019-12-12 23:19:48 +00:00
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
- rules
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
rules:
type: array
items:
type: object
required:
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
group: kyverno.io
versions:
2019-11-13 21:41:28 +00:00
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: PolicyViolation
plural: policyviolations
singular: policyviolation
shortNames:
- polv
2019-08-22 19:48:27 +00:00
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
2019-12-12 23:19:48 +00:00
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
2019-08-22 19:48:27 +00:00
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
- rules
properties:
policy:
type: string
resource:
type: object
required:
2019-08-22 21:12:30 +00:00
- kind
- name
2019-08-22 19:48:27 +00:00
properties:
kind:
type: string
name:
type: string
2019-08-22 21:22:23 +00:00
rules:
type: array
items:
type: object
required:
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
2019-08-22 19:48:27 +00:00
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
singular: generaterequest
shortNames:
- gr
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: ResourceNamespace
type: string
description: The resource namespace that caused the violation
JSONPath: .spec.resource.namespace
- name: status
type : string
description: Current state of generate request
JSONPath: .status.state
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
namespace:
type: string
---
kind: Namespace
apiVersion: v1
metadata:
name: "kyverno"
---
apiVersion: v1
kind: Service
metadata:
namespace: kyverno
name: kyverno-svc
labels:
app: kyverno
spec:
ports:
- port: 443
targetPort: 443
selector:
app: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
2020-03-04 23:25:56 +00:00
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
2020-03-05 00:04:02 +00:00
name: kyverno:policyviolations
2020-03-04 23:25:56 +00:00
rules:
- apiGroups: ["kyverno.io"]
resources:
- policyviolations
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
2020-02-19 01:10:15 +00:00
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
2020-02-19 01:10:15 +00:00
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
2020-02-19 01:10:15 +00:00
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
2020-02-19 01:10:15 +00:00
name: kyverno:webhook
rules:
2020-02-19 01:10:15 +00:00
# Dynamic creation of webhooks, events & certs
2020-02-11 21:43:36 +00:00
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- approve
2020-02-19 01:10:15 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
kind: ClusterRole
metadata:
name: kyverno:userinfo
rules:
2020-02-11 21:43:36 +00:00
# get the roleRef for incoming api-request user
- apiGroups:
2020-02-19 01:10:15 +00:00
- "*"
2020-02-11 21:43:36 +00:00
resources:
- rolebindings
- clusterrolebindings
- configmaps
verbs:
- watch
2020-02-19 01:10:15 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
2020-02-19 01:10:15 +00:00
name: kyverno:customresources
rules:
2020-02-11 21:43:36 +00:00
# Kyverno CRs
- apiGroups:
- '*'
resources:
2020-02-11 21:43:36 +00:00
- clusterpolicies
- clusterpolicies/status
- clusterpolicyviolations
- clusterpolicyviolations/status
- policyviolations
2020-02-11 21:43:36 +00:00
- policyviolations/status
- generaterequests
- generaterequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
2020-02-19 01:10:15 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
kind: ClusterRole
metadata:
name: kyverno:policycontroller
rules:
2020-02-11 21:43:36 +00:00
# background processing, identify all existing resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
2020-02-19 01:10:15 +00:00
---
apiVersion: rbac.authorization.k8s.io/v1
2020-02-19 01:10:15 +00:00
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
2020-02-11 21:43:36 +00:00
# process generate rules to generate resources
- apiGroups:
2020-02-19 01:10:15 +00:00
- "*"
2020-02-11 21:43:36 +00:00
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
2020-02-20 23:21:07 +00:00
- clusterroles
- rolebindings
- clusterrolebindings
2020-02-11 21:43:36 +00:00
verbs:
- create
- update
- delete
- get
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
- apiGroups:
- '*'
resources:
- namespaces
verbs:
2020-02-20 23:21:07 +00:00
- watch
---
2019-10-28 20:00:20 +00:00
apiVersion: v1
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
data:
# resource types to be skipped by kyverno policy engine
resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
---
2019-10-14 22:24:59 +00:00
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: kyverno
2019-06-27 18:38:34 +00:00
name: kyverno
labels:
app: kyverno
spec:
2019-10-14 22:24:59 +00:00
selector:
matchLabels:
app: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
initContainers:
- name: kyverno-pre
2020-04-02 03:48:32 +00:00
image: nirmata/kyvernopre:v1.1.5
containers:
- name: kyverno
2020-04-02 03:48:32 +00:00
image: nirmata/kyverno:v1.1.5
2019-10-29 01:37:41 +00:00
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
2019-10-28 20:23:52 +00:00
# customize webhook timout
# - "--webhooktimeout=4"
ports:
- containerPort: 443
2019-10-19 00:49:30 +00:00
env:
- name: INIT_CONFIG
value: init-config