mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 18:15:48 +00:00
Code Activity

refactor: helm admission controller (part 1) (#6119)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-26 17:41:39 +01:00 committed by GitHub
parent 17b7bcb4ec
commit 04c4673153
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 475 additions and 415 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
charts/kyverno/templates/_helpers.tpl
View file

@ -38,15 +38,6 @@
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.serviceAccountName" -}}
{{- if .Values.rbac.serviceAccount.create -}}
{{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.podDisruptionBudget.spec" -}}
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}

16
charts/kyverno/templates/admission-controller/_helpers.tpl
View file

@ -1,5 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.admission-controller.name" -}}
{{ template "kyverno.name" . }}-admission-controller
{{- end -}}
{{- define "kyverno.admission-controller.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
@ -13,3 +17,15 @@
(include "kyverno.labels.component" "admission-controller")
) -}}
{{- end -}}
{{- define "kyverno.admission-controller.roleName" -}}
{{ .Release.Name }}:admission-controller
{{- end -}}
{{- define "kyverno.admission-controller.serviceAccountName" -}}
{{- if .Values.rbac.serviceAccount.create -}}
{{ default (include "kyverno.admission-controller.name" .) .Values.rbac.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}

14
charts/kyverno/templates/clusterrole.yaml → charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}
name: {{ template "kyverno.admission-controller.roleName" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
aggregationRule:
@ -13,7 +13,7 @@ aggregationRule:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
name: {{ template "kyverno.admission-controller.roleName" . }}:userinfo
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
@ -31,7 +31,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policies
name: {{ template "kyverno.admission-controller.roleName" . }}:policies
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
@ -77,7 +77,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:view
name: {{ template "kyverno.admission-controller.roleName" . }}:view
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
@ -93,7 +93,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generate
name: {{ template "kyverno.admission-controller.roleName" . }}:generate
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
@ -147,7 +147,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:events
name: {{ template "kyverno.admission-controller.roleName" . }}:events
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
@ -165,7 +165,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
name: {{ template "kyverno.admission-controller.roleName" . }}:webhook
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:

16
charts/kyverno/templates/admission-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if .Values.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.admission-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}

57
charts/kyverno/templates/admission-controller/role.yaml Normal file
View file

@ -0,0 +1,57 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
{{- end }}

10
charts/kyverno/templates/rolebinding.yaml → charts/kyverno/templates/admission-controller/rolebinding.yaml
View file

@ -2,16 +2,16 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
name: {{ template "kyverno.admission-controller.roleName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.fullname" . }}:leaderelection
name: {{ template "kyverno.admission-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
- kind: ServiceAccount
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

9
charts/kyverno/templates/serviceaccount.yaml → charts/kyverno/templates/admission-controller/serviceaccount.yaml
View file

@ -2,11 +2,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.serviceAccountName" . }}
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- with .Values.rbac.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

1
charts/kyverno/templates/cleanup-controller/_helpers.tpl
View file

@ -30,7 +30,6 @@
{{ .Release.Name }}:cleanup-controller
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.cleanup-controller.serviceAccountName" -}}
{{- if .Values.cleanupController.rbac.create -}}
{{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }}

56
charts/kyverno/templates/cleanup-controller/role.yaml
View file

@ -8,33 +8,33 @@ metadata:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}
{{- end -}}

6
charts/kyverno/templates/cleanup-controller/rolebinding.yaml
View file

@ -12,8 +12,8 @@ roleRef:
kind: Role
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

16
charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -1,16 +0,0 @@
{{- if .Values.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}

4
charts/kyverno/templates/deployment.yaml
View file

@ -60,7 +60,7 @@ spec:
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
@ -146,7 +146,7 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.serviceAccountName" . }}
value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
- name: KYVERNO_SVC
value: {{ template "kyverno.serviceName" . }}
- name: TUF_ROOT

2
charts/kyverno/templates/helm-pre-delete-hook.yaml
View file

@ -12,7 +12,7 @@ metadata:
spec:
template:
spec:
serviceAccount: {{ template "kyverno.serviceAccountName" . }}
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
containers:
- name: kubectl
image: {{ .Values.webhooksCleanup.image }}

6
charts/kyverno/templates/reports-controller/rolebinding.yaml
View file

@ -12,8 +12,8 @@ roleRef:
kind: Role
name: {{ template "kyverno.reports-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
- kind: ServiceAccount
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

31
charts/kyverno/templates/role.yaml
View file

@ -1,31 +0,0 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
- update
- watch
{{- end }}

2
charts/kyverno/values.yaml
View file

@ -75,7 +75,7 @@ config:
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'

635
config/install.yaml
View file

@ -10,6 +10,17 @@ metadata:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-cleanup-controller
namespace: kyverno
@ -31,17 +42,6 @@ metadata:
namespace: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kyverno
@ -55,7 +55,7 @@ data:
enableDefaultRegistryMutation: "true"
defaultRegistry: "docker.io"
generateSuccessEvents: "false"
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-*]"
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno-admission-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-*]"
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
---
apiVersion: v1
@ -31304,6 +31304,202 @@ spec:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
aggregationRule:
clusterRoleSelectors:
- matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:userinfo
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:policies
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:view
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:generate
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ''
resources:
- namespaces
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:events
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:webhook
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admin-policies
labels:
@ -31485,202 +31681,6 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
aggregationRule:
clusterRoleSelectors:
- matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:userinfo
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:policies
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:view
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generate
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ''
resources:
- namespaces
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:events
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:webhook
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:reports-controller
labels:
@ -31755,6 +31755,24 @@ rules:
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:admission-controller
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:admission-controller
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:cleanup-controller
labels:
@ -31773,24 +31791,6 @@ subjects:
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:reports-controller
labels:
@ -31809,6 +31809,65 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kyverno:admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kyverno:cleanup-controller
labels:
@ -31818,34 +31877,34 @@ metadata:
app.kubernetes.io/version: latest
namespace: kyverno
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -31877,37 +31936,24 @@ rules:
- patch
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kyverno:leaderelection
name: kyverno:admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
- update
- watch
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno:admission-controller
subjects:
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -31924,9 +31970,9 @@ roleRef:
kind: Role
name: kyverno:cleanup-controller
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -31943,28 +31989,9 @@ roleRef:
kind: Role
name: kyverno:reports-controller
subjects:
- kind: ServiceAccount
name: kyverno-reports-controller
namespace: kyverno
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:leaderelection
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno:leaderelection
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
- kind: ServiceAccount
name: kyverno-reports-controller
namespace: kyverno
---
apiVersion: v1
kind: Service
@ -32233,7 +32260,7 @@ spec:
- 'kyverno'
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno
serviceAccountName: kyverno-admission-controller
dnsPolicy: ClusterFirst
initContainers:
- name: kyverno-pre
@ -32317,7 +32344,7 @@ spec:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT