1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00

updated kyverno namespace readme

This commit is contained in:
NoSkillGirl 2020-07-02 13:34:18 +05:30
parent 5e9cc1d669
commit 0487bfb04b

View file

@ -11,11 +11,11 @@ You can install Kyverno using the Helm chart or YAML files in this repository.
## Add the nirmata Helm repository
helm repo add kyverno https://nirmata.github.io/kyverno/
## Create the Kyverno namespace
kubectl create ns kyverno
## Create a namespace
kubectl create ns <namespace>
## Install the kyverno helm chart
helm install kyverno --namespace kyverno kyverno/kyverno
helm install kyverno --namespace <namespace> kyverno/kyverno
```
@ -35,6 +35,8 @@ To install Kyverno in a cluster that supports certificate signing, run the follo
Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag.
Also, by default kyverno in installed in "kyverno" namespace. To install in different namespace, you can edit the [install.yaml] and update the namespace.
To check the Kyverno controller status, run the command:
```sh
@ -42,17 +44,17 @@ To check the Kyverno controller status, run the command:
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
## Check pod status
kubectl get pods -n kyverno
kubectl get pods -n <namespace>
````
If the Kyverno controller is not running, you can check its status and logs for errors:
````sh
kubectl describe pod <kyverno-pod-name> -n kyverno
kubectl describe pod <kyverno-pod-name> -n <namespace>
````
````sh
kubectl logs <kyverno-pod-name> -n kyverno
kubectl logs <kyverno-pod-name> -n <namespace>
````
### Option 2: Use your own CA-signed certificate
@ -85,10 +87,10 @@ Among the files that will be generated, you can use the following files to creat
To create the required secrets, use the following commands (do not change the secret names):
````bash
kubectl create ns kyverno
kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt
kubectl create ns <namespace>
kubectl -n <namespace> create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n <namespace> self-signed-cert=true
kubectl -n <namespace> create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt
````
**NOTE: The annotation on the TLS pair secret is used by Kyverno to identify the use of self-signed certificates and checks for the required root CA secret**
@ -161,7 +163,28 @@ e.g., change image tag from `latest` to the specific tag `v1.0.0`.
- name: kyverno
# image: nirmata/kyverno:latest
image: nirmata/kyverno:v1.0.0
To install in a specific namespace replace the namespace "kyverno" with your namespace.
Example:
````sh
apiVersion: v1
kind: Namespace
metadata:
name: <namespace>
````
````sh
apiVersion: v1
kind: Service
metadata:
labels:
app: kyverno
name: kyverno-svc
namespace: <namespace>
````
and in other place where namespace is mentioned.
To run kyverno:
````sh
kubectl create -f ./install.yaml
````
@ -169,17 +192,17 @@ kubectl create -f ./install.yaml
To check the Kyverno controller status, run the command:
````sh
kubectl get pods -n kyverno
kubectl get pods -n <namespace>
````
If the Kyverno controller is not running, you can check its status and logs for errors:
````sh
kubectl describe pod <kyverno-pod-name> -n kyverno
kubectl describe pod <kyverno-pod-name> -n <namespace>
````
````sh
kubectl logs <kyverno-pod-name> -n kyverno
kubectl logs <kyverno-pod-name> -n <namespace>
````
Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)
@ -224,8 +247,7 @@ To run controller in this mode you should prepare a TLS key/certificate pair for
1. Run `sudo scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy.
2. Start the controller using the following command: `sudo KYVERNO_NAMESPACE=kyverno go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=<server_IP>`
2. Start the controller using the following command: `sudo KYVERNO_NAMESPACE=<namespace> go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=<server_IP>`. In case environment variable "KYVERNO_NAMESPACE" is not passed kyverno will run in its default namespace "kyverno".
# Filter Kubernetes resources that admission webhook should not process
The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding a `ConfigMap` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`. The default name of this `ConfigMap` is `init-config` but can be changed by modifying the value of the environment variable `INIT_CONFIG` in the kyverno deployment dpec. `data.resourceFilters` must be a sequence of one or more `[<Kind>,<Namespace>,<Name>]` entries with `*` as wildcard. Thus, an item `[Node,*,*]` means that admissions of `Node` in any namespace and with any name will be ignored.