diff --git a/Makefile b/Makefile index e55bc7a454..3de092ebb6 100644 --- a/Makefile +++ b/Makefile @@ -154,4 +154,13 @@ kustomize-crd: # Generate install.yaml that have all resources for kyverno kustomize build ./definitions > ./definitions/install.yaml # Generate install_debug.yaml that for developer testing - kustomize build ./definitions/debug > ./definitions/install_debug.yaml \ No newline at end of file + kustomize build ./definitions/debug > ./definitions/install_debug.yaml + +# guidance https://github.com/nirmata/kyverno/wiki/Generate-a-Release +release: + # update image tag + cd ./definitions && kustomize edit set image nirmata/kyverno=nirmata/kyverno:$(IMAGE_TAG) + cd ./definitions && kustomize edit set image nirmata/kyvernopre=nirmata/kyvernopre:$(IMAGE_TAG) + + kustomize build ./definitions > ./definitions/install.yaml + kustomize build ./definitions > ./definitions/release/install.yaml diff --git a/README.md b/README.md index 4b5888ad5c..855303ba33 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ To check the version, enter `kubectl version`. Install Kyverno: ```console -kubectl create -f https://raw.githubusercontent.com/nirmata/kyverno/v1.1.9/definitions/install.yaml +kubectl create -f https://raw.githubusercontent.com/nirmata/kyverno/master/definitions/release/install.yaml ``` You can also install Kyverno using a [Helm chart](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm). diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml index d58723a7cb..86e3564ce5 100644 --- a/definitions/kustomization.yaml +++ b/definitions/kustomization.yaml @@ -4,4 +4,11 @@ kind: Kustomization resources: - ./crds/ - ./manifest/ -- ./k8s-resource/ \ No newline at end of file +- ./k8s-resource/ +images: +- name: nirmata/kyverno + newName: nirmata/kyverno + newTag: v1.1.9 +- name: nirmata/kyvernopre + newName: nirmata/kyvernopre + newTag: v1.1.9 diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml new file mode 100644 index 0000000000..280c1d9548 --- /dev/null +++ b/definitions/release/install.yaml @@ -0,0 +1,821 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + kind: ClusterPolicy + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + background: + type: boolean + rules: + items: + properties: + exclude: + properties: + clusterRoles: + items: + type: string + type: array + resources: + properties: + kinds: + items: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + type: object + generate: + properties: + apiVersion: + type: string + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} + kind: + type: string + name: + type: string + namespace: + type: string + synchronize: + type: boolean + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 + properties: + kinds: + items: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: + AnyValue: {} + patchStrategicMerge: + AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + patchesJson6902: + type: string + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + - In + - NotIn + type: string + value: + anyOf: + - type: string + - items: {} + type: array + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: ClusterPolicyViolation + plural: clusterpolicyviolations + shortNames: + - cpolv + singular: clusterpolicyviolation + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: generaterequests.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: GenerateRequest + plural: generaterequests + shortNames: + - gr + singular: generaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +- apiGroups: + - '*' + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - create + - update + - delete + - get +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +- apiGroups: + - '*' + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - clusterpolicyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: v1 +data: + excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' +kind: ConfigMap +metadata: + name: init-config + namespace: kyverno +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + name: kyverno-svc + namespace: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kyverno + name: kyverno + namespace: kyverno +spec: + replicas: 1 + selector: + matchLabels: + app: kyverno + template: + metadata: + labels: + app: kyverno + spec: + containers: + - args: + - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] + - --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler" + - -v=2 + env: + - name: INIT_CONFIG + value: init-config + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_SVC + value: kyverno-svc + image: nirmata/kyverno:v1.1.9 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 4 + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: kyverno + ports: + - containerPort: 443 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 50Mi + initContainers: + - image: nirmata/kyvernopre:v1.1.9 + imagePullPolicy: Always + name: kyverno-pre + serviceAccountName: kyverno-service-account