mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

tag v1.1.10

Browse source
This commit is contained in:
Shuting Zhao 2020-08-21 11:12:55 -07:00
parent 2717a03ab2
commit 1371da939b
6 changed files with 385 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Makefile
View file

@ -178,10 +178,6 @@ kustomize-crd:
# guidance https://github.com/nirmata/kyverno/wiki/Generate-a-Release
release:
# update image tag
cd ./definitions && kustomize edit set image nirmata/kyverno=nirmata/kyverno:$(IMAGE_TAG)
cd ./definitions && kustomize edit set image nirmata/kyvernopre=nirmata/kyvernopre:$(IMAGE_TAG)
kustomize build ./definitions > ./definitions/install.yaml
kustomize build ./definitions > ./definitions/release/install.yaml

4
charts/kyverno/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
version: 1.1.9
appVersion: v1.1.9
version: 1.1.10
appVersion: v1.1.10
icon: https://github.com/nirmata/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
description: Kubernetes Native Policy Management
keywords:

84
definitions/install.yaml
View file

@ -36,6 +36,10 @@ spec:
type: array
resources:
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
@ -46,10 +50,6 @@ spec:
items:
type: string
type: array
annotations:
type: object
additionalProperties:
type: string
selector:
properties:
matchExpressions:
@ -130,6 +130,10 @@ spec:
resources:
minProperties: 1
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
@ -140,10 +144,6 @@ spec:
items:
type: string
type: array
annotations:
type: object
additionalProperties:
type: string
selector:
properties:
matchExpressions:
@ -885,6 +885,37 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@ -913,39 +944,6 @@ rules:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
@ -1081,7 +1079,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.1.9
image: nirmata/kyverno:v1.1.10
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
@ -1113,7 +1111,7 @@ spec:
cpu: 100m
memory: 50Mi
initContainers:
- image: nirmata/kyvernopre:v1.1.9
- image: nirmata/kyvernopre:v1.1.10
imagePullPolicy: Always
name: kyverno-pre
serviceAccountName: kyverno-service-account

36
definitions/k8s-resource/rbac.yaml
View file

@ -237,13 +237,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:view-policyviolations
name: kyverno:view-policies-policyviolations
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["kyverno.io"]
resources:
- policyviolations
- policies
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
@ -256,4 +257,35 @@ rules:
- apiGroups: ["kyverno.io"]
resources:
- clusterpolicyviolations
verbs: ["get", "list", "watch"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
- policies
verbs:
- get
- list
- watch

4
definitions/kustomization.yaml
View file

@ -8,7 +8,7 @@ resources:
images:
- name: nirmata/kyverno
newName: nirmata/kyverno
newTag: v1.1.9
newTag: v1.1.10
- name: nirmata/kyvernopre
newName: nirmata/kyvernopre
newTag: v1.1.9
newTag: v1.1.10

310
definitions/release/install.yaml
View file

@ -36,6 +36,10 @@ spec:
type: array
resources:
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
@ -126,6 +130,10 @@ spec:
resources:
minProperties: 1
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
@ -408,6 +416,269 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policies.kyverno.io
spec:
group: kyverno.io
names:
kind: Policy
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data:
AnyValue: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
kinds:
items:
type: string
type: array
name:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay:
AnyValue: {}
patchStrategicMerge:
AnyValue: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value:
AnyValue: {}
required:
- path
- op
type: object
type: array
patchesJson6902:
type: string
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern:
AnyValue: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- items: {}
type: array
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern:
AnyValue: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
@ -614,6 +885,37 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@ -647,12 +949,13 @@ kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kyverno:view-policyviolations
name: kyverno:view-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
- policies
verbs:
- get
- list
@ -766,7 +1069,6 @@ spec:
containers:
- args:
- --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
- --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler"
- -v=2
env:
- name: INIT_CONFIG
@ -777,7 +1079,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.1.9
image: nirmata/kyverno:v1.1.10
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
@ -809,7 +1111,7 @@ spec:
cpu: 100m
memory: 50Mi
initContainers:
- image: nirmata/kyvernopre:v1.1.9
- image: nirmata/kyvernopre:v1.1.10
imagePullPolicy: Always
name: kyverno-pre
serviceAccountName: kyverno-service-account