mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

Merge pull request #400 from nirmata/382_cleanup_definition_folder

Browse source 
clean up definitions folder
This commit is contained in:
shuting 2019-10-25 14:09:01 -07:00 committed by GitHub
commit 2c9ef5c2d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 33 additions and 370 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
definitions/MutatingWebhookConfiguration_debug.yaml
View file

@ -1,18 +0,0 @@
# Example of MutatingWebhookConfiguration which can be used for debug, when controller is placed on master node
# To register webhook for debug, replace ${CA_BUNDLE} with corresponding data from ~/.kube/config and create this resource
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: nirmata-kyverno-webhook-cfg-debug
labels:
app: kyverno
webhooks:
- name: webhook.nirmata.kyverno
clientConfig:
url: "https://localhost/mutate"
caBundle: ${CA_BUNDLE}
rules:
- operations: [ "CREATE" ]
resources: [ "*/*" ]
apiGroups: [ "*" ]
apiVersions: [ "*" ]

8
definitions/docker-registry-key.yaml
View file

@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: docker-registry-key
namespace: kube-system
data:
.dockerconfigjson: DOCKER_CONFIG_JSON_IN_BASE64
type: kubernetes.io/dockerconfigjson

9
definitions/install.yaml
View file

@ -300,8 +300,13 @@ spec:
serviceAccountName: kyverno-service-account
containers:
- name: kyverno
image: nirmata/kyverno:v0.10.0
args: ["--filterK8Resources","[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"]
image: nirmata/kyverno:latest
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
# customize webhook timout
# - "--webhooktimeout=4"
# open one of the profiling flag here
# - "--cpu=true"
ports:
- containerPort: 443
securityContext:

249
definitions/install_custom_args.yaml
View file

@ -1,249 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1alpha1
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
singular: clusterpolicy
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
required:
- rules
properties:
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails. Default behavior
- audit # allows resource creationg and reports the failed validation rules as violations
rules:
type: array
items:
type: object
required:
- name
- match
properties:
name:
type: string
match:
type: object
required:
- resources
properties:
resources:
type: object
required:
- kinds
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespace:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
required:
- resources
properties:
resources:
type: object
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespace:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
mutate:
type: object
properties:
overlay:
AnyValue: {}
patches:
type: array
items:
type: object
required:
- path
- op
properties:
path:
type: string
op:
type: string
enum:
- add
- replace
- remove
value:
AnyValue: {}
validate:
type: object
required:
- pattern
properties:
message:
type: string
pattern:
AnyValue: {}
generate:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
clone:
type: object
required:
- namespace
- name
properties:
namespace:
type: string
name:
type: string
data:
AnyValue: {}
---
kind: Namespace
apiVersion: v1
metadata:
name: "kyverno"
---
apiVersion: v1
kind: Service
metadata:
namespace: kyverno
name: kyverno-svc
labels:
app: kyverno
spec:
ports:
- port: 443
targetPort: 443
selector:
app: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kyverno-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: kyverno
name: kyverno
labels:
app: kyverno
spec:
selector:
matchLabels:
app: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
containers:
- name: kyverno
image: nirmata/kyverno:latest
args:
- "--webhooktimeout=4"
# open one of the profiling flag here
- "--cpu=true"
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
ports:
- containerPort: 443
securityContext:
privileged: true
volumeMounts:
- mountPath: /opt/nirmata
name: profiling-volume
volumes:
- name: profiling-volume
hostPath:
path: /opt/nirmata
type: Directory

30
definitions/install_debug.yaml
View file

@ -27,7 +27,7 @@ spec:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creationg and reports the failed validation rules as violations. Default
- audit # allows resource creation and reports the failed validation rules as violations. Default
rules:
type: array
items:
@ -206,8 +206,8 @@ spec:
resource:
type: object
required:
- kind
- name
- kind
- name
properties:
kind:
type: string
@ -220,6 +220,24 @@ spec:
items:
type: object
required:
- name
- type
- message
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
managedResource:
type: object
required:
- kind
properties:
kind:
type: string
namespace:
type: string
creationBlocked:
type: bool

85
definitions/policy-example.yaml
View file

@ -1,85 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : clusterPolicy
metadata :
name : examples
spec :
# failurePolicy is optional. Defaults to stopOnError
failurePolicy: continueOnError, stopOnError
# The spec contains a list of rules. Each rule has a resource and an operation.
# Allowed operations are:
# - patch, configMapGenerator, secretGenerator
rules:
- resource:
# Allowed resource kinds:
# ConfigMap
# CronJob
# DaemonSet
# Deployment
# Endpoint
# HorizontalPodAutoscaler
# Ingress
# Job
# LimitRange
# Namespace
# NetworkPolicy
# PersistentVolumeClaim
# PodDisruptionBudget
# PodTemplate
# ResourceQuota
# Secret
# Service
# StatefulSet
kind : PodTemplateSpec
# name is optional. Either a name or selector must be specified.
name:
# selector is optional. Either a name or a selector must be specified.
selector:
matchLabels :
nirmata.io/environment.name : production
matchExpressions:
# a patch contains multiple entries of path, operation, value
# path: starts with the resource. if blank selects resource.
# operation: Add | Replace | Delete
# value: text, number, JSON string
patch :
- path : spec/terminationGracePeriodSeconds
operation : Add
value : 20
- path : spec/containers/0/imagePullPolicy
operation : Add
value : Always
- resource:
# Kind needs to be Namespace, when operation is configMapGenerator
kind: Namespace
name: foo
configMapGenerator :
name: game-config-env-file
# copyFrom is optional. If specified, must point to a valid config map
copyFrom:
namespace: some-ns
name: some-other-config-map
data:
foo: bar
app.properties: /
foo1=bar1
foo2=bar2
ui.properties: /
foo1=bar1
foo2=bar2
- resource:
# Kind needs to be Namespace, when operation is secretGenerator
kind: Namespace
name: foo
secretGenerator :
name: game-secrets
copyFrom:
namespace: some-ns
name: some-other-secrets
data: # data is optional
status:
events:
# log of applied policies. We will need a way to distingush between failed
# and succeeded operations

4
documentation/installation.md
View file

@ -118,9 +118,9 @@ To build Kyverno in a development environment see: https://github.com/nirmata/ky
To run controller in this mode you should prepare TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address.
1. Run scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>, where <server_IP> is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy.
1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy.
2. Start the controller using the following command: sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>
2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>`
# Try Kyverno without a Kubernetes cluster