diff --git a/definitions/MutatingWebhookConfiguration_debug.yaml b/definitions/MutatingWebhookConfiguration_debug.yaml deleted file mode 100644 index e3be018429..0000000000 --- a/definitions/MutatingWebhookConfiguration_debug.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Example of MutatingWebhookConfiguration which can be used for debug, when controller is placed on master node -# To register webhook for debug, replace ${CA_BUNDLE} with corresponding data from ~/.kube/config and create this resource -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: nirmata-kyverno-webhook-cfg-debug - labels: - app: kyverno -webhooks: - - name: webhook.nirmata.kyverno - clientConfig: - url: "https://localhost/mutate" - caBundle: ${CA_BUNDLE} - rules: - - operations: [ "CREATE" ] - resources: [ "*/*" ] - apiGroups: [ "*" ] - apiVersions: [ "*" ] diff --git a/definitions/docker-registry-key.yaml b/definitions/docker-registry-key.yaml deleted file mode 100644 index d5fae24abd..0000000000 --- a/definitions/docker-registry-key.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: docker-registry-key - namespace: kube-system -data: - .dockerconfigjson: DOCKER_CONFIG_JSON_IN_BASE64 -type: kubernetes.io/dockerconfigjson diff --git a/definitions/install.yaml b/definitions/install.yaml index b776db014f..2c02576544 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -300,8 +300,13 @@ spec: serviceAccountName: kyverno-service-account containers: - name: kyverno - image: nirmata/kyverno:v0.10.0 - args: ["--filterK8Resources","[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"] + image: nirmata/kyverno:latest + args: + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" + # customize webhook timout + # - "--webhooktimeout=4" + # open one of the profiling flag here + # - "--cpu=true" ports: - containerPort: 443 securityContext: diff --git a/definitions/install_custom_args.yaml b/definitions/install_custom_args.yaml deleted file mode 100644 index 2019b0d01a..0000000000 --- a/definitions/install_custom_args.yaml +++ /dev/null @@ -1,249 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterpolicies.kyverno.io -spec: - group: kyverno.io - versions: - - name: v1alpha1 - served: true - storage: true - scope: Cluster - names: - kind: ClusterPolicy - plural: clusterpolicies - singular: clusterpolicy - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - required: - - rules - properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. Default behavior - - audit # allows resource creationg and reports the failed validation rules as violations - rules: - type: array - items: - type: object - required: - - name - - match - properties: - name: - type: string - match: - type: object - required: - - resources - properties: - resources: - type: object - required: - - kinds - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespace: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - exclude: - type: object - required: - - resources - properties: - resources: - type: object - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespace: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array - items: - type: object - required: - - path - - op - properties: - path: - type: string - op: - type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: - type: object - required: - - pattern - properties: - message: - type: string - pattern: - AnyValue: {} - generate: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - clone: - type: object - required: - - namespace - - name - properties: - namespace: - type: string - name: - type: string - data: - AnyValue: {} ---- -kind: Namespace -apiVersion: v1 -metadata: - name: "kyverno" ---- -apiVersion: v1 -kind: Service -metadata: - namespace: kyverno - name: kyverno-svc - labels: - app: kyverno -spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: kyverno ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: kyverno-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: kyverno - name: kyverno - labels: - app: kyverno -spec: - selector: - matchLabels: - app: kyverno - replicas: 1 - template: - metadata: - labels: - app: kyverno - spec: - serviceAccountName: kyverno-service-account - containers: - - name: kyverno - image: nirmata/kyverno:latest - args: - - "--webhooktimeout=4" - # open one of the profiling flag here - - "--cpu=true" - - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" - ports: - - containerPort: 443 - securityContext: - privileged: true - volumeMounts: - - mountPath: /opt/nirmata - name: profiling-volume - volumes: - - name: profiling-volume - hostPath: - path: /opt/nirmata - type: Directory \ No newline at end of file diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 028aa8d3c2..be2c2aec34 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -27,7 +27,7 @@ spec: type: string enum: - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creationg and reports the failed validation rules as violations. Default + - audit # allows resource creation and reports the failed validation rules as violations. Default rules: type: array items: @@ -206,8 +206,8 @@ spec: resource: type: object required: - - kind - - name + - kind + - name properties: kind: type: string @@ -220,6 +220,24 @@ spec: items: type: object required: - - name - - type - - message \ No newline at end of file + - name + - type + - message + properties: + name: + type: string + type: + type: string + message: + type: string + managedResource: + type: object + required: + - kind + properties: + kind: + type: string + namespace: + type: string + creationBlocked: + type: bool \ No newline at end of file diff --git a/definitions/policy-example.yaml b/definitions/policy-example.yaml deleted file mode 100644 index e973e96f08..0000000000 --- a/definitions/policy-example.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : clusterPolicy -metadata : - name : examples -spec : - # failurePolicy is optional. Defaults to stopOnError - failurePolicy: continueOnError, stopOnError - # The spec contains a list of rules. Each rule has a resource and an operation. - # Allowed operations are: - # - patch, configMapGenerator, secretGenerator - rules: - - resource: - # Allowed resource kinds: - # ConfigMap - # CronJob - # DaemonSet - # Deployment - # Endpoint - # HorizontalPodAutoscaler - # Ingress - # Job - # LimitRange - # Namespace - # NetworkPolicy - # PersistentVolumeClaim - # PodDisruptionBudget - # PodTemplate - # ResourceQuota - # Secret - # Service - # StatefulSet - kind : PodTemplateSpec - # name is optional. Either a name or selector must be specified. - name: - # selector is optional. Either a name or a selector must be specified. - selector: - matchLabels : - nirmata.io/environment.name : production - matchExpressions: - # a patch contains multiple entries of path, operation, value - # path: starts with the resource. if blank selects resource. - # operation: Add | Replace | Delete - # value: text, number, JSON string - patch : - - path : spec/terminationGracePeriodSeconds - operation : Add - value : 20 - - path : spec/containers/0/imagePullPolicy - operation : Add - value : Always - - resource: - # Kind needs to be Namespace, when operation is configMapGenerator - kind: Namespace - name: foo - configMapGenerator : - name: game-config-env-file - # copyFrom is optional. If specified, must point to a valid config map - copyFrom: - namespace: some-ns - name: some-other-config-map - data: - foo: bar - app.properties: / - foo1=bar1 - foo2=bar2 - ui.properties: / - foo1=bar1 - foo2=bar2 - - resource: - # Kind needs to be Namespace, when operation is secretGenerator - kind: Namespace - name: foo - secretGenerator : - name: game-secrets - copyFrom: - namespace: some-ns - name: some-other-secrets - data: # data is optional -status: - events: - # log of applied policies. We will need a way to distingush between failed - # and succeeded operations - - - diff --git a/documentation/installation.md b/documentation/installation.md index a97cc4e063..5191aa7f15 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -118,9 +118,9 @@ To build Kyverno in a development environment see: https://github.com/nirmata/ky To run controller in this mode you should prepare TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address. -1. Run scripts/deploy-controller-debug.sh --service=localhost --serverIP=, where is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy. +1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=`, where is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy. -2. Start the controller using the following command: sudo kyverno --kubeconfig=~/.kube/config --serverIP= +2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=` # Try Kyverno without a Kubernetes cluster