2019-02-06 12:52:09 +00:00
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
metadata:
|
2019-09-03 21:51:51 +00:00
|
|
|
name: clusterpolicies.kyverno.io
|
2019-02-06 12:52:09 +00:00
|
|
|
spec:
|
2019-05-22 01:36:24 +00:00
|
|
|
group: kyverno.io
|
2019-02-12 17:01:25 +00:00
|
|
|
versions:
|
2019-11-13 21:41:28 +00:00
|
|
|
- name: v1
|
2019-02-12 17:01:25 +00:00
|
|
|
served: true
|
|
|
|
storage: true
|
2019-02-14 14:36:55 +00:00
|
|
|
scope: Cluster
|
2019-02-06 12:52:09 +00:00
|
|
|
names:
|
2019-09-03 21:51:51 +00:00
|
|
|
kind: ClusterPolicy
|
|
|
|
plural: clusterpolicies
|
|
|
|
singular: clusterpolicy
|
2019-11-25 20:36:47 +00:00
|
|
|
shortNames:
|
2019-12-12 00:07:39 +00:00
|
|
|
- cpol
|
2019-03-07 15:57:43 +00:00
|
|
|
subresources:
|
|
|
|
status: {}
|
2019-03-12 12:42:24 +00:00
|
|
|
validation:
|
2019-03-14 12:00:57 +00:00
|
|
|
openAPIV3Schema:
|
|
|
|
properties:
|
2020-04-12 13:28:55 +00:00
|
|
|
status: {}
|
2019-03-14 12:00:57 +00:00
|
|
|
spec:
|
|
|
|
required:
|
|
|
|
- rules
|
|
|
|
properties:
|
2019-07-18 17:22:20 +00:00
|
|
|
# default values to be handled by user
|
|
|
|
validationFailureAction:
|
2019-07-15 22:30:28 +00:00
|
|
|
type: string
|
|
|
|
enum:
|
2019-09-06 17:18:45 +00:00
|
|
|
- enforce # blocks the resorce api-reques if a rule fails.
|
|
|
|
- audit # allows resource creation and reports the failed validation rules as violations. Default
|
2020-02-18 22:55:12 +00:00
|
|
|
background:
|
|
|
|
type: boolean
|
2019-03-14 12:00:57 +00:00
|
|
|
rules:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
2019-05-13 13:08:02 +00:00
|
|
|
- name
|
2020-04-27 06:17:33 +00:00
|
|
|
- match
|
2019-05-21 21:37:54 +00:00
|
|
|
properties:
|
2019-05-13 13:08:02 +00:00
|
|
|
name:
|
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
match:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: object
|
|
|
|
required:
|
2019-07-24 03:34:03 +00:00
|
|
|
- resources
|
2019-05-21 21:37:54 +00:00
|
|
|
properties:
|
2019-11-12 02:52:39 +00:00
|
|
|
roles:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
clusterRoles:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
subjects:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- kind
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
apiGroup:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
Namespace:
|
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
resources:
|
|
|
|
type: object
|
2020-02-05 10:25:37 +00:00
|
|
|
minProperties: 1
|
2019-03-14 12:00:57 +00:00
|
|
|
properties:
|
2019-07-24 03:34:03 +00:00
|
|
|
kinds:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: array
|
|
|
|
items:
|
2019-07-24 03:34:03 +00:00
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
2019-08-17 16:59:13 +00:00
|
|
|
namespaces:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
selector:
|
|
|
|
properties:
|
|
|
|
matchLabels:
|
|
|
|
type: object
|
|
|
|
additionalProperties:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
matchExpressions:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- key
|
|
|
|
- operator
|
|
|
|
properties:
|
|
|
|
key:
|
|
|
|
type: string
|
|
|
|
operator:
|
|
|
|
type: string
|
|
|
|
values:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
exclude:
|
|
|
|
type: object
|
|
|
|
properties:
|
2019-11-12 02:52:39 +00:00
|
|
|
roles:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
clusterRoles:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
subjects:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- kind
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
apiGroup:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
Namespace:
|
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
resources:
|
|
|
|
type: object
|
|
|
|
properties:
|
|
|
|
kinds:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
2019-08-19 18:54:25 +00:00
|
|
|
namespaces:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
selector:
|
|
|
|
properties:
|
|
|
|
matchLabels:
|
|
|
|
type: object
|
|
|
|
additionalProperties:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: string
|
2019-07-24 03:34:03 +00:00
|
|
|
matchExpressions:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- key
|
|
|
|
- operator
|
|
|
|
properties:
|
|
|
|
key:
|
|
|
|
type: string
|
|
|
|
operator:
|
|
|
|
type: string
|
|
|
|
values:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: string
|
2020-01-07 23:13:57 +00:00
|
|
|
preconditions:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- key # can be of any type
|
|
|
|
- operator # typed
|
|
|
|
- value # can be of any type
|
2019-05-13 13:08:02 +00:00
|
|
|
mutate:
|
|
|
|
type: object
|
|
|
|
properties:
|
|
|
|
overlay:
|
|
|
|
AnyValue: {}
|
|
|
|
patches:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- path
|
|
|
|
- op
|
|
|
|
properties:
|
|
|
|
path:
|
|
|
|
type: string
|
|
|
|
op:
|
|
|
|
type: string
|
|
|
|
enum:
|
|
|
|
- add
|
|
|
|
- replace
|
|
|
|
- remove
|
|
|
|
value:
|
|
|
|
AnyValue: {}
|
|
|
|
validate:
|
|
|
|
type: object
|
|
|
|
properties:
|
|
|
|
message:
|
|
|
|
type: string
|
|
|
|
pattern:
|
|
|
|
AnyValue: {}
|
2019-08-21 00:56:02 +00:00
|
|
|
anyPattern:
|
|
|
|
AnyValue: {}
|
2020-04-14 13:36:48 +00:00
|
|
|
deny:
|
2020-04-18 12:56:09 +00:00
|
|
|
properties:
|
|
|
|
conditions:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- key # can be of any type
|
|
|
|
- operator # typed
|
|
|
|
- value # can be of any type
|
2019-05-13 13:08:02 +00:00
|
|
|
generate:
|
2019-05-21 21:37:54 +00:00
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- kind
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
2020-04-02 16:48:26 +00:00
|
|
|
namespace:
|
|
|
|
type: string
|
2019-06-01 01:45:23 +00:00
|
|
|
clone:
|
2019-05-21 21:37:54 +00:00
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- namespace
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
namespace:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: string
|
2019-05-21 21:37:54 +00:00
|
|
|
name:
|
2019-03-14 12:00:57 +00:00
|
|
|
type: string
|
2019-05-21 21:37:54 +00:00
|
|
|
data:
|
2019-06-01 00:59:36 +00:00
|
|
|
AnyValue: {}
|
2019-03-21 13:57:30 +00:00
|
|
|
---
|
2019-08-22 19:48:27 +00:00
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
metadata:
|
2019-09-03 21:51:51 +00:00
|
|
|
name: clusterpolicyviolations.kyverno.io
|
2019-08-22 19:48:27 +00:00
|
|
|
spec:
|
|
|
|
group: kyverno.io
|
|
|
|
versions:
|
2019-11-13 21:41:28 +00:00
|
|
|
- name: v1
|
2019-08-22 19:48:27 +00:00
|
|
|
served: true
|
|
|
|
storage: true
|
|
|
|
scope: Cluster
|
|
|
|
names:
|
2019-09-03 21:51:51 +00:00
|
|
|
kind: ClusterPolicyViolation
|
|
|
|
plural: clusterpolicyviolations
|
|
|
|
singular: clusterpolicyviolation
|
2019-11-25 20:36:47 +00:00
|
|
|
shortNames:
|
|
|
|
- cpolv
|
2019-11-12 19:21:23 +00:00
|
|
|
subresources:
|
|
|
|
status: {}
|
2019-11-25 20:36:47 +00:00
|
|
|
additionalPrinterColumns:
|
|
|
|
- name: Policy
|
|
|
|
type: string
|
|
|
|
description: The policy that resulted in the violation
|
|
|
|
JSONPath: .spec.policy
|
|
|
|
- name: ResourceKind
|
|
|
|
type: string
|
|
|
|
description: The resource kind that cause the violation
|
|
|
|
JSONPath: .spec.resource.kind
|
|
|
|
- name: ResourceName
|
|
|
|
type: string
|
|
|
|
description: The resource name that caused the violation
|
|
|
|
JSONPath: .spec.resource.name
|
2019-12-12 23:19:48 +00:00
|
|
|
- name: Age
|
|
|
|
type: date
|
|
|
|
JSONPath: .metadata.creationTimestamp
|
2019-11-12 19:21:23 +00:00
|
|
|
validation:
|
|
|
|
openAPIV3Schema:
|
|
|
|
properties:
|
|
|
|
spec:
|
|
|
|
required:
|
|
|
|
- policy
|
|
|
|
- resource
|
|
|
|
- rules
|
|
|
|
properties:
|
|
|
|
policy:
|
|
|
|
type: string
|
|
|
|
resource:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- kind
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
rules:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- name
|
|
|
|
- type
|
|
|
|
- message
|
|
|
|
properties:
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
type:
|
|
|
|
type: string
|
|
|
|
message:
|
|
|
|
type: string
|
|
|
|
---
|
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
metadata:
|
2019-12-12 00:07:39 +00:00
|
|
|
name: policyviolations.kyverno.io
|
2019-11-12 19:21:23 +00:00
|
|
|
spec:
|
|
|
|
group: kyverno.io
|
|
|
|
versions:
|
2019-11-13 21:41:28 +00:00
|
|
|
- name: v1
|
2019-11-12 19:21:23 +00:00
|
|
|
served: true
|
|
|
|
storage: true
|
|
|
|
scope: Namespaced
|
|
|
|
names:
|
2019-12-12 00:07:39 +00:00
|
|
|
kind: PolicyViolation
|
|
|
|
plural: policyviolations
|
|
|
|
singular: policyviolation
|
2019-11-25 20:36:47 +00:00
|
|
|
shortNames:
|
2019-12-12 00:07:39 +00:00
|
|
|
- polv
|
2019-08-22 19:48:27 +00:00
|
|
|
subresources:
|
|
|
|
status: {}
|
2019-11-25 20:36:47 +00:00
|
|
|
additionalPrinterColumns:
|
|
|
|
- name: Policy
|
|
|
|
type: string
|
|
|
|
description: The policy that resulted in the violation
|
|
|
|
JSONPath: .spec.policy
|
|
|
|
- name: ResourceKind
|
|
|
|
type: string
|
|
|
|
description: The resource kind that cause the violation
|
|
|
|
JSONPath: .spec.resource.kind
|
|
|
|
- name: ResourceName
|
|
|
|
type: string
|
|
|
|
description: The resource name that caused the violation
|
|
|
|
JSONPath: .spec.resource.name
|
2019-12-12 23:19:48 +00:00
|
|
|
- name: Age
|
|
|
|
type: date
|
|
|
|
JSONPath: .metadata.creationTimestamp
|
2019-08-22 19:48:27 +00:00
|
|
|
validation:
|
|
|
|
openAPIV3Schema:
|
|
|
|
properties:
|
|
|
|
spec:
|
|
|
|
required:
|
|
|
|
- policy
|
|
|
|
- resource
|
|
|
|
- rules
|
|
|
|
properties:
|
|
|
|
policy:
|
|
|
|
type: string
|
|
|
|
resource:
|
|
|
|
type: object
|
|
|
|
required:
|
2019-08-22 21:12:30 +00:00
|
|
|
- kind
|
|
|
|
- name
|
2019-08-22 19:48:27 +00:00
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
2019-08-22 21:22:23 +00:00
|
|
|
rules:
|
|
|
|
type: array
|
|
|
|
items:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- name
|
|
|
|
- type
|
|
|
|
- message
|
|
|
|
properties:
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
type:
|
|
|
|
type: string
|
|
|
|
message:
|
|
|
|
type: string
|
2019-08-22 19:48:27 +00:00
|
|
|
---
|
2020-01-07 18:33:28 +00:00
|
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
metadata:
|
|
|
|
name: generaterequests.kyverno.io
|
|
|
|
spec:
|
|
|
|
group: kyverno.io
|
|
|
|
versions:
|
|
|
|
- name: v1
|
|
|
|
served: true
|
|
|
|
storage: true
|
|
|
|
scope: Namespaced
|
|
|
|
names:
|
|
|
|
kind: GenerateRequest
|
|
|
|
plural: generaterequests
|
|
|
|
singular: generaterequest
|
|
|
|
shortNames:
|
|
|
|
- gr
|
|
|
|
subresources:
|
|
|
|
status: {}
|
|
|
|
additionalPrinterColumns:
|
|
|
|
- name: Policy
|
|
|
|
type: string
|
|
|
|
description: The policy that resulted in the violation
|
|
|
|
JSONPath: .spec.policy
|
|
|
|
- name: ResourceKind
|
|
|
|
type: string
|
|
|
|
description: The resource kind that cause the violation
|
|
|
|
JSONPath: .spec.resource.kind
|
|
|
|
- name: ResourceName
|
|
|
|
type: string
|
|
|
|
description: The resource name that caused the violation
|
|
|
|
JSONPath: .spec.resource.name
|
|
|
|
- name: ResourceNamespace
|
|
|
|
type: string
|
|
|
|
description: The resource namespace that caused the violation
|
|
|
|
JSONPath: .spec.resource.namespace
|
|
|
|
- name: status
|
|
|
|
type : string
|
|
|
|
description: Current state of generate request
|
|
|
|
JSONPath: .status.state
|
|
|
|
- name: Age
|
|
|
|
type: date
|
|
|
|
JSONPath: .metadata.creationTimestamp
|
|
|
|
validation:
|
|
|
|
openAPIV3Schema:
|
|
|
|
properties:
|
|
|
|
spec:
|
|
|
|
required:
|
|
|
|
- policy
|
|
|
|
- resource
|
|
|
|
properties:
|
|
|
|
policy:
|
|
|
|
type: string
|
|
|
|
resource:
|
|
|
|
type: object
|
|
|
|
required:
|
|
|
|
- kind
|
|
|
|
- name
|
|
|
|
properties:
|
|
|
|
kind:
|
|
|
|
type: string
|
|
|
|
name:
|
|
|
|
type: string
|
|
|
|
namespace:
|
|
|
|
type: string
|
|
|
|
---
|
2019-05-22 01:36:24 +00:00
|
|
|
kind: Namespace
|
|
|
|
apiVersion: v1
|
|
|
|
metadata:
|
|
|
|
name: "kyverno"
|
|
|
|
---
|
2019-03-21 13:57:30 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
2019-05-22 01:36:24 +00:00
|
|
|
namespace: kyverno
|
|
|
|
name: kyverno-svc
|
2019-03-21 13:57:30 +00:00
|
|
|
labels:
|
2019-05-22 01:36:24 +00:00
|
|
|
app: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
spec:
|
|
|
|
ports:
|
|
|
|
- port: 443
|
|
|
|
targetPort: 443
|
|
|
|
selector:
|
2019-05-22 01:36:24 +00:00
|
|
|
app: kyverno
|
2019-03-21 15:25:36 +00:00
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: ServiceAccount
|
|
|
|
metadata:
|
2019-05-22 01:36:24 +00:00
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
---
|
2020-03-04 23:25:56 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
2020-03-05 00:04:02 +00:00
|
|
|
name: kyverno:policyviolations
|
2020-03-04 23:25:56 +00:00
|
|
|
rules:
|
|
|
|
- apiGroups: ["kyverno.io"]
|
|
|
|
resources:
|
|
|
|
- policyviolations
|
|
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
---
|
2019-03-21 13:57:30 +00:00
|
|
|
kind: ClusterRoleBinding
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2019-03-21 13:57:30 +00:00
|
|
|
metadata:
|
2020-02-19 01:10:15 +00:00
|
|
|
name: kyverno:webhook
|
2019-03-21 13:57:30 +00:00
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
2020-02-19 01:10:15 +00:00
|
|
|
name: kyverno:webhook
|
2019-03-21 13:57:30 +00:00
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
2019-05-22 01:36:24 +00:00
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
---
|
2020-02-19 01:10:15 +00:00
|
|
|
kind: ClusterRoleBinding
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
metadata:
|
|
|
|
name: kyverno:userinfo
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: kyverno:userinfo
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
|
|
|
---
|
|
|
|
kind: ClusterRoleBinding
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
metadata:
|
|
|
|
name: kyverno:customresources
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: kyverno:customresources
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
|
|
|
---
|
|
|
|
kind: ClusterRoleBinding
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
metadata:
|
|
|
|
name: kyverno:policycontroller
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: kyverno:policycontroller
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
|
|
|
---
|
|
|
|
kind: ClusterRoleBinding
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
metadata:
|
|
|
|
name: kyverno:generatecontroller
|
|
|
|
roleRef:
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
kind: ClusterRole
|
|
|
|
name: kyverno:generatecontroller
|
|
|
|
subjects:
|
|
|
|
- kind: ServiceAccount
|
|
|
|
name: kyverno-service-account
|
|
|
|
namespace: kyverno
|
|
|
|
---
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2019-12-13 01:45:02 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
2020-02-19 01:10:15 +00:00
|
|
|
name: kyverno:webhook
|
2019-12-13 01:45:02 +00:00
|
|
|
rules:
|
2020-02-19 01:10:15 +00:00
|
|
|
# Dynamic creation of webhooks, events & certs
|
2020-02-11 21:43:36 +00:00
|
|
|
- apiGroups:
|
|
|
|
- '*'
|
|
|
|
resources:
|
|
|
|
- events
|
|
|
|
- mutatingwebhookconfigurations
|
|
|
|
- validatingwebhookconfigurations
|
|
|
|
- certificatesigningrequests
|
|
|
|
- certificatesigningrequests/approval
|
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
- delete
|
|
|
|
- get
|
|
|
|
- list
|
|
|
|
- patch
|
|
|
|
- update
|
|
|
|
- watch
|
2020-04-01 17:52:17 +00:00
|
|
|
- apiGroups:
|
|
|
|
- certificates.k8s.io
|
|
|
|
resources:
|
|
|
|
- certificatesigningrequests
|
|
|
|
- certificatesigningrequests/approval
|
|
|
|
- certificatesigningrequests/status
|
|
|
|
resourceNames:
|
|
|
|
- kubernetes.io/legacy-unknown
|
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
- delete
|
|
|
|
- get
|
|
|
|
- update
|
|
|
|
- watch
|
|
|
|
- apiGroups:
|
|
|
|
- certificates.k8s.io
|
|
|
|
resources:
|
|
|
|
- signers
|
|
|
|
resourceNames:
|
|
|
|
- kubernetes.io/legacy-unknown
|
|
|
|
verbs:
|
|
|
|
- approve
|
2020-02-19 01:10:15 +00:00
|
|
|
---
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
|
|
|
name: kyverno:userinfo
|
|
|
|
rules:
|
2020-02-11 21:43:36 +00:00
|
|
|
# get the roleRef for incoming api-request user
|
|
|
|
- apiGroups:
|
2020-02-19 01:10:15 +00:00
|
|
|
- "*"
|
2020-02-11 21:43:36 +00:00
|
|
|
resources:
|
|
|
|
- rolebindings
|
|
|
|
- clusterrolebindings
|
|
|
|
- configmaps
|
|
|
|
verbs:
|
|
|
|
- watch
|
2020-02-19 01:10:15 +00:00
|
|
|
---
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2019-12-13 01:45:02 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
2020-02-19 01:10:15 +00:00
|
|
|
name: kyverno:customresources
|
2019-12-13 01:45:02 +00:00
|
|
|
rules:
|
2020-02-11 21:43:36 +00:00
|
|
|
# Kyverno CRs
|
|
|
|
- apiGroups:
|
|
|
|
- '*'
|
2019-12-13 01:45:02 +00:00
|
|
|
resources:
|
2020-02-11 21:43:36 +00:00
|
|
|
- clusterpolicies
|
|
|
|
- clusterpolicies/status
|
|
|
|
- clusterpolicyviolations
|
|
|
|
- clusterpolicyviolations/status
|
2019-12-13 01:45:02 +00:00
|
|
|
- policyviolations
|
2020-02-11 21:43:36 +00:00
|
|
|
- policyviolations/status
|
|
|
|
- generaterequests
|
|
|
|
- generaterequests/status
|
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
- delete
|
|
|
|
- get
|
|
|
|
- list
|
|
|
|
- patch
|
|
|
|
- update
|
|
|
|
- watch
|
2020-02-19 01:10:15 +00:00
|
|
|
---
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
|
|
|
name: kyverno:policycontroller
|
|
|
|
rules:
|
2020-02-11 21:43:36 +00:00
|
|
|
# background processing, identify all existing resources
|
|
|
|
- apiGroups:
|
|
|
|
- '*'
|
|
|
|
resources:
|
|
|
|
- '*'
|
|
|
|
verbs:
|
|
|
|
- get
|
|
|
|
- list
|
2020-04-01 07:15:14 +00:00
|
|
|
- update
|
2020-02-19 01:10:15 +00:00
|
|
|
---
|
2020-02-20 19:08:44 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2020-02-19 01:10:15 +00:00
|
|
|
kind: ClusterRole
|
|
|
|
metadata:
|
|
|
|
name: kyverno:generatecontroller
|
|
|
|
rules:
|
2020-02-11 21:43:36 +00:00
|
|
|
# process generate rules to generate resources
|
|
|
|
- apiGroups:
|
2020-02-19 01:10:15 +00:00
|
|
|
- "*"
|
2020-02-11 21:43:36 +00:00
|
|
|
resources:
|
|
|
|
- namespaces
|
|
|
|
- networkpolicies
|
|
|
|
- secrets
|
|
|
|
- configmaps
|
|
|
|
- resourcequotas
|
|
|
|
- limitranges
|
2020-02-20 23:21:07 +00:00
|
|
|
- clusterroles
|
|
|
|
- rolebindings
|
|
|
|
- clusterrolebindings
|
2020-02-11 21:43:36 +00:00
|
|
|
verbs:
|
|
|
|
- create
|
|
|
|
- update
|
|
|
|
- delete
|
|
|
|
- get
|
|
|
|
# dynamic watches on trigger resources for generate rules
|
|
|
|
# re-evaluate the policy if the resource is updated
|
|
|
|
- apiGroups:
|
|
|
|
- '*'
|
|
|
|
resources:
|
|
|
|
- namespaces
|
|
|
|
verbs:
|
2020-02-20 23:21:07 +00:00
|
|
|
- watch
|
2019-12-13 01:45:02 +00:00
|
|
|
---
|
2019-10-28 20:00:20 +00:00
|
|
|
apiVersion: v1
|
|
|
|
kind: ConfigMap
|
|
|
|
metadata:
|
|
|
|
name: init-config
|
|
|
|
namespace: kyverno
|
|
|
|
data:
|
|
|
|
# resource types to be skipped by kyverno policy engine
|
|
|
|
resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
|
|
|
|
---
|
2019-10-14 22:24:59 +00:00
|
|
|
apiVersion: apps/v1
|
2019-03-21 15:25:36 +00:00
|
|
|
kind: Deployment
|
2019-03-21 13:57:30 +00:00
|
|
|
metadata:
|
2019-05-22 01:36:24 +00:00
|
|
|
namespace: kyverno
|
2019-06-27 18:38:34 +00:00
|
|
|
name: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
labels:
|
2019-05-22 01:36:24 +00:00
|
|
|
app: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
spec:
|
2019-10-14 22:24:59 +00:00
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app: kyverno
|
2019-03-21 15:25:36 +00:00
|
|
|
replicas: 1
|
2019-03-21 13:57:30 +00:00
|
|
|
template:
|
|
|
|
metadata:
|
|
|
|
labels:
|
2019-05-22 01:36:24 +00:00
|
|
|
app: kyverno
|
2019-03-21 13:57:30 +00:00
|
|
|
spec:
|
2019-05-22 01:36:24 +00:00
|
|
|
serviceAccountName: kyverno-service-account
|
2019-11-18 19:41:37 +00:00
|
|
|
initContainers:
|
|
|
|
- name: kyverno-pre
|
2020-04-02 03:48:32 +00:00
|
|
|
image: nirmata/kyvernopre:v1.1.5
|
2019-03-21 13:57:30 +00:00
|
|
|
containers:
|
2019-05-22 01:36:24 +00:00
|
|
|
- name: kyverno
|
2020-04-02 03:48:32 +00:00
|
|
|
image: nirmata/kyverno:v1.1.5
|
2019-10-29 01:37:41 +00:00
|
|
|
args:
|
|
|
|
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
|
2019-10-28 20:23:52 +00:00
|
|
|
# customize webhook timout
|
|
|
|
# - "--webhooktimeout=4"
|
2019-03-21 15:25:36 +00:00
|
|
|
ports:
|
|
|
|
- containerPort: 443
|
2019-10-19 00:49:30 +00:00
|
|
|
env:
|
|
|
|
- name: INIT_CONFIG
|
2020-04-01 07:15:14 +00:00
|
|
|
value: init-config
|