diff --git a/Makefile b/Makefile
index bb92331e84..90e404b130 100644
--- a/Makefile
+++ b/Makefile
@@ -178,10 +178,6 @@ kustomize-crd:
# guidance https://github.com/nirmata/kyverno/wiki/Generate-a-Release
release:
- # update image tag
- cd ./definitions && kustomize edit set image nirmata/kyverno=nirmata/kyverno:$(IMAGE_TAG)
- cd ./definitions && kustomize edit set image nirmata/kyvernopre=nirmata/kyvernopre:$(IMAGE_TAG)
-
kustomize build ./definitions > ./definitions/install.yaml
kustomize build ./definitions > ./definitions/release/install.yaml
diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index 01a1cb3d58..ddd5367a5c 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
-version: 1.1.9
-appVersion: v1.1.9
+version: 1.1.10
+appVersion: v1.1.10
icon: https://github.com/nirmata/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
description: Kubernetes Native Policy Management
keywords:
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 1f3d8b7c2f..fdb0690989 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -36,6 +36,10 @@ spec:
type: array
resources:
properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
kinds:
items:
type: string
@@ -46,10 +50,6 @@ spec:
items:
type: string
type: array
- annotations:
- type: object
- additionalProperties:
- type: string
selector:
properties:
matchExpressions:
@@ -130,6 +130,10 @@ spec:
resources:
minProperties: 1
properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
kinds:
items:
type: string
@@ -140,10 +144,6 @@ spec:
items:
type: string
type: array
- annotations:
- type: object
- additionalProperties:
- type: string
selector:
properties:
matchExpressions:
@@ -885,6 +885,37 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: kyverno:admin-policies
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policies
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ name: kyverno:edit-policies-policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ - policies
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@@ -913,39 +944,6 @@ rules:
- list
- watch
---
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- labels:
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- name: kyverno:admin-policies
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - policies
- verbs:
- - "*"
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- labels:
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: kyverno:edit-policies-policyviolations
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - policyviolations
- - policies
- verbs:
- - get
- - list
- - watch
----
-
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
@@ -1081,7 +1079,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
- image: nirmata/kyverno:v1.1.9
+ image: nirmata/kyverno:v1.1.10
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
@@ -1113,7 +1111,7 @@ spec:
cpu: 100m
memory: 50Mi
initContainers:
- - image: nirmata/kyvernopre:v1.1.9
+ - image: nirmata/kyvernopre:v1.1.10
imagePullPolicy: Always
name: kyverno-pre
serviceAccountName: kyverno-service-account
diff --git a/definitions/k8s-resource/rbac.yaml b/definitions/k8s-resource/rbac.yaml
index b984ebd30c..9ba5c15b14 100644
--- a/definitions/k8s-resource/rbac.yaml
+++ b/definitions/k8s-resource/rbac.yaml
@@ -237,13 +237,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
- name: kyverno:view-policyviolations
+ name: kyverno:view-policies-policyviolations
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["kyverno.io"]
resources:
- policyviolations
+ - policies
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -256,4 +257,35 @@ rules:
- apiGroups: ["kyverno.io"]
resources:
- clusterpolicyviolations
- verbs: ["get", "list", "watch"]
\ No newline at end of file
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: kyverno:admin-policies
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policies
+ verbs:
+ - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ name: kyverno:edit-policies-policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ - policies
+ verbs:
+ - get
+ - list
+ - watch
diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml
index 86e3564ce5..9559fd57eb 100644
--- a/definitions/kustomization.yaml
+++ b/definitions/kustomization.yaml
@@ -8,7 +8,7 @@ resources:
images:
- name: nirmata/kyverno
newName: nirmata/kyverno
- newTag: v1.1.9
+ newTag: v1.1.10
- name: nirmata/kyvernopre
newName: nirmata/kyvernopre
- newTag: v1.1.9
+ newTag: v1.1.10
diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml
index d47e77e8c0..fdb0690989 100644
--- a/definitions/release/install.yaml
+++ b/definitions/release/install.yaml
@@ -36,6 +36,10 @@ spec:
type: array
resources:
properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
kinds:
items:
type: string
@@ -126,6 +130,10 @@ spec:
resources:
minProperties: 1
properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
kinds:
items:
type: string
@@ -408,6 +416,269 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ name: policies.kyverno.io
+spec:
+ group: kyverno.io
+ names:
+ kind: Policy
+ plural: policies
+ shortNames:
+ - pol
+ singular: policy
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ background:
+ type: boolean
+ rules:
+ items:
+ properties:
+ exclude:
+ properties:
+ clusterRoles:
+ items:
+ type: string
+ type: array
+ resources:
+ properties:
+ kinds:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
+ items:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ type: object
+ generate:
+ properties:
+ apiVersion:
+ type: string
+ clone:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - namespace
+ - name
+ type: object
+ data:
+ AnyValue: {}
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ synchronize:
+ type: boolean
+ required:
+ - kind
+ - name
+ type: object
+ match:
+ properties:
+ clusterRoles:
+ items:
+ type: string
+ type: array
+ resources:
+ minProperties: 1
+ properties:
+ kinds:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
+ items:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - resources
+ type: object
+ mutate:
+ properties:
+ overlay:
+ AnyValue: {}
+ patchStrategicMerge:
+ AnyValue: {}
+ patches:
+ items:
+ properties:
+ op:
+ enum:
+ - add
+ - replace
+ - remove
+ type: string
+ path:
+ type: string
+ value:
+ AnyValue: {}
+ required:
+ - path
+ - op
+ type: object
+ type: array
+ patchesJson6902:
+ type: string
+ type: object
+ name:
+ type: string
+ preconditions:
+ items:
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ validate:
+ properties:
+ anyPattern:
+ AnyValue: {}
+ deny:
+ properties:
+ conditions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - Equal
+ - Equals
+ - NotEqual
+ - NotEquals
+ - In
+ - NotIn
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - items: {}
+ type: array
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ message:
+ type: string
+ pattern:
+ AnyValue: {}
+ type: object
+ required:
+ - name
+ - match
+ type: object
+ type: array
+ validationFailureAction:
+ enum:
+ - enforce
+ - audit
+ type: string
+ required:
+ - rules
+ status: {}
+ versions:
+ - name: v1
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
@@ -614,6 +885,37 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: kyverno:admin-policies
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policies
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ name: kyverno:edit-policies-policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ - policies
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@@ -647,12 +949,13 @@ kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
- name: kyverno:view-policyviolations
+ name: kyverno:view-policies-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
+ - policies
verbs:
- get
- list
@@ -766,7 +1069,6 @@ spec:
containers:
- args:
- --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
- - --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler"
- -v=2
env:
- name: INIT_CONFIG
@@ -777,7 +1079,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
- image: nirmata/kyverno:v1.1.9
+ image: nirmata/kyverno:v1.1.10
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
@@ -809,7 +1111,7 @@ spec:
cpu: 100m
memory: 50Mi
initContainers:
- - image: nirmata/kyvernopre:v1.1.9
+ - image: nirmata/kyvernopre:v1.1.10
imagePullPolicy: Always
name: kyverno-pre
serviceAccountName: kyverno-service-account