diff --git a/.codeclimate.yml b/.codeclimate.yml index 95a96cfddb..cf3023aa6f 100644 --- a/.codeclimate.yml +++ b/.codeclimate.yml @@ -12,7 +12,7 @@ ratings: exclude_paths: - documentation/ +- charts - definitions -- gh-pages - samples -- scripts \ No newline at end of file +- scripts diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000..f542064542 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,50 @@ +## Related issue + + + +**What type of PR is this?** + + +## Proposed changes + + + +## Checklist + + + +- [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md). +- [ ] I have added tests that prove my fix is effective or that my feature + works. +- [ ] I have added or changed [the documentation](documentation/). + +## Further comments + + diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md deleted file mode 100644 index 7f76f9d5bf..0000000000 --- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +++ /dev/null @@ -1,21 +0,0 @@ -**What type of PR is this?** -> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line: -> -> /kind api-change -> /kind bug -> /kind cleanup -> /kind design -> /kind documentation -> /kind failing-test -> /kind feature - -**What this PR does / why we need it**: - -**Which issue(s) this PR fixes**: - -Fixes # - -**Special notes for your reviewer**: diff --git a/.github/semantic.yml b/.github/semantic.yml new file mode 100644 index 0000000000..bf22245188 --- /dev/null +++ b/.github/semantic.yml @@ -0,0 +1,17 @@ +titleOnly: true +commitsOnly: false +titleAndCommits: false + +types: + - feat + - fix + - revert + - docs + - style + - refactor + - test + - build + - autogen + - security + - ci + - chore \ No newline at end of file diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml deleted file mode 100644 index f507810838..0000000000 --- a/.github/workflows/helm-release.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: helm-package -on: - push: - tags: - - "*" - paths: - - 'charts/kyverno/**' -env: - HELM_CHART_URL: "https://nirmata.github.io/kyverno/helm-charts/" - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - persist-credentials: false - - name: Install Helm - run: | - curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get - chmod 700 get_helm.sh - ./get_helm.sh - helm init --client-only - - name: Check Chart Version - run: | - helm repo add evalsocket ${{ env.HELM_CHART_URL }} || (echo "Kyverno Repository not available") - helm search nirmata/kyverno --version `cat charts/kyverno/Chart.yaml | grep '^version: [[:alnum:]]' | awk '{print $2}'` > HELM_CHART_STATUS.txt - HELM_CHART_STATUS=`cat HELM_CHART_STATUS.txt` - if [ "${HELM_CHART_STATUS}" != 'No results found' ]; then - echo 'Version already exist, impossible to continue...' - exit 1 - fi - - name: Check sintax - run: helm lint charts/kyverno/ - - name: Create package - run: | - mkdir -p output/helm-charts/ - helm package charts/kyverno/ -d output/helm-charts/ - - name: Release - uses: JamesIves/github-pages-deploy-action@releases/v3 - with: - ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }} - BRANCH: gh-pages - FOLDER: output diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 37a761ec1e..6cf40217d0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,9 +1,9 @@ -name: releaser +name: prereleaser on: push: tags: - + jobs: releaser: @@ -20,6 +20,7 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.14 + - uses: creekorful/goreportcard-action@v1.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 @@ -28,4 +29,12 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} + - uses: J12934/helm-gh-pages-action@master + name: Run Helm Publish + with: + access-token: ${{ secrets.ACCESS_TOKEN }} + deploy-branch: gh-pages + charts-folder: charts + + diff --git a/.goreleaser.yml b/.goreleaser.yml index 04e726ebda..2595128777 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,9 +1,9 @@ -project_name: kyverno +project_name: kyverno-cli before: hooks: - go mod download builds: -- id: kyverno +- id: kyverno-cli main: cmd/cli/kubectl-kyverno/main.go binary: kyverno env: @@ -16,16 +16,16 @@ builds: - amd64 goarm: [6, 7] archives: -- id: kyverno-archive +- id: kyverno-cli-archive name_template: |- - kyverno_{{ .Tag }}_{{ .Os }}_{{ .Arch -}} + kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}} {{- with .Arm -}} {{- if (eq . "6") -}}hf {{- else -}}v{{- . -}} {{- end -}} {{- end -}} builds: - - kyverno + - kyverno-cli replacements: 386: i386 amd64: x86_64 @@ -38,3 +38,12 @@ checksum: algorithm: sha256 release: prerelease: auto +changelog: + sort: asc + filters: + # commit messages matching the regexp listed here will be removed from + # the changelog + exclude: + - '^docs:' + - typo + diff --git a/Makefile b/Makefile index 56c3b92ddd..7645266947 100644 --- a/Makefile +++ b/Makefile @@ -113,4 +113,17 @@ code-cov-report: $(CODE_COVERAGE_FILE_TXT) # transform to html format @echo " generating code coverage report" go tool cover -html=coverage.txt - if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi; \ No newline at end of file + if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi; + +# godownloader create downloading script for kyverno-cli +godownloader: + godownloader .goreleaser.yml --repo nirmata/kyverno -o ./scripts/install-cli.sh --source="raw" + +# kustomize-crd will create install.yaml +kustomize-crd: + # Create CRD for helm deployment Helm + kustomize build ./definitions/crds > ./charts/kyverno/crds/crds.yaml + # Generate install.yaml that have all resources for kyverno + kustomize build ./definitions > ./definitions/install.yaml + # Generate install_debug.yaml that for developer testing + kustomize build ./definitions/debug > ./definitions/install_debug.yaml \ No newline at end of file diff --git a/README.md b/README.md index be1cd1eb0c..81020599e2 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,16 @@ Mutating policies can be written as overlays (similar to [Kustomize](https://kub Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources. -**NOTE** : Your Kubernetes server must be at or later than version v1.14. To check the version, enter kubectl version. +**NOTE** : Your Kubernetes cluster version must be above v1.14 which adds webook timeouts. To check the version, enter `kubectl version`. + +## Quick Start + +Install Kyverno: +```console +kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml +``` + +You can also install using the [Helm chart](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm). As a next step, import [sample policies](https://github.com/nirmata/kyverno/blob/master/samples/README.md) and learn about [writing policies](https://github.com/nirmata/kyverno/blob/master/documentation/writing-policies.md). You can test policies using the [Kyverno cli](https://github.com/nirmata/kyverno/blob/master/documentation/kyverno-cli.md). See [docs](https://github.com/nirmata/kyverno/#documentation) for more details. ## Examples diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 412ac77b62..ca4633968f 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: 0.0.1 -appVersion: v1.1.5 +version: 1.1.6 +appVersion: v1.1.6 description: Kubernetes Native Policy Management keywords: - kubernetes diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index ea311dc2bd..b84617b4cc 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -3,7 +3,7 @@ [Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to * Manage policies as Kubernetes resources. -* Validate, mutate, and generate configurations. +* Validate, mutate, and generate configurations for any resource. * Select resources based on labels and wildcards. * View policy enforcement as events. * Detect policy violations for existing resources. @@ -12,12 +12,10 @@ ```console ## Add the nirmata Helm repository -$ helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ +$ helm repo add kyverno https://nirmata.github.io/kyverno ## Install the kyverno helm chart -$ helm install --name my-release --namespace kyverno nirmata/kyverno - -$ helm install --create-namespace -n kyverno kyverno ./charts/kyverno +$ helm install kyverno --namespace kyverno kyverno/kyverno ``` ## Introduction @@ -29,12 +27,16 @@ This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.i Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno': ```console -$ helm install --namespace kyverno kyverno ./charts/kyverno +$ helm install kyverno --namespace kyverno kyverno ./charts/kyverno ``` -Note that Helm by default expects the namespace to already exist before running helm install. If you want Helm to create the namespace, add --create-namespace to the command. +Note that Helm by default expects the namespace to already exist before running helm install. Create the namespace using: -The command deploys kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +```console +$ kubectl create ns kyverno +``` + +The command deploys Kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. ## Uninstalling the Chart diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index 72b50024b6..db126cbcd0 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -4,465 +4,464 @@ metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies - singular: clusterpolicy shortNames: - cpol + singular: clusterpolicy + scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: - status: {} spec: - required: - - rules properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creation and reports the failed validation rules as violations. Default background: type: boolean rules: - type: array items: - type: object - required: - - name - - match properties: - name: - type: string - match: - type: object - required: - - resources - properties: - roles: - type: array - items: - type: string - clusterRoles: - type: array - items: - type: string - subjects: - type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string - resources: - type: object - minProperties: 1 - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string exclude: - type: object properties: - roles: - type: array - items: - type: string clusterRoles: - type: array items: type: string - subjects: type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string resources: - type: object properties: kinds: - type: array items: type: string + type: array name: type: string namespaces: - type: array items: type: string + type: array selector: properties: - matchLabels: - type: object - additionalProperties: - type: string matchExpressions: - type: array items: - type: object - required: - - key - - operator properties: key: type: string operator: type: string values: - type: array items: type: string - preconditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: items: - type: object - required: - - path - - op properties: - path: + apiGroup: type: string - op: + kind: type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array type: object - properties: - message: - type: string - pattern: - AnyValue: {} - anyPattern: - AnyValue: {} - deny: - properties: - conditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - properties: - operator: - type: string - enum: - - Equal - - Equals - - NotEqual - - NotEquals - key: - type: string - value: - type: string generate: - type: object - required: - - kind - - name properties: + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} kind: type: string name: type: string namespace: type: string - clone: - type: object - required: - - namespace - - name + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 properties: - namespace: - type: string + kinds: + items: + type: string + type: array name: type: string - data: + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations - singular: clusterpolicyviolation shortNames: - cpolv + singular: clusterpolicyviolation + scope: Cluster subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource - - rules properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string name: type: string + required: + - kind + - name + type: object rules: - type: array items: - type: object - required: - - name - - type - - message properties: + message: + type: string name: type: string type: type: string - message: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules versions: - - name: v1 - served: true - storage: true - scope: Namespaced - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - shortNames: - - polv - subresources: - status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - required: - - policy - - resource - - rules - properties: - policy: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - message - properties: - name: - type: string - type: - type: string - message: - type: string + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Namespaced names: kind: GenerateRequest plural: generaterequests - singular: generaterequest shortNames: - gr + singular: generaterequest + scope: Namespaced subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: ResourceNamespace - type: string - description: The resource namespace that caused the violation - JSONPath: .spec.resource.namespace - - name: status - type : string - description: Current state of generate request - JSONPath: .status.state - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string - name: + name: type: string namespace: type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml new file mode 100644 index 0000000000..aabb5ab308 --- /dev/null +++ b/definitions/crds/crds.yaml @@ -0,0 +1,468 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Cluster + names: + kind: ClusterPolicy + plural: clusterpolicies + singular: clusterpolicy + shortNames: + - cpol + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + status: {} + spec: + required: + - rules + properties: + # default values to be handled by user + validationFailureAction: + type: string + enum: + - enforce # blocks the resorce api-reques if a rule fails. + - audit # allows resource creation and reports the failed validation rules as violations. Default + background: + type: boolean + rules: + type: array + items: + type: object + required: + - name + - match + properties: + name: + type: string + match: + type: object + required: + - resources + properties: + roles: + type: array + items: + type: string + clusterRoles: + type: array + items: + type: string + subjects: + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + type: string + apiGroup: + type: string + name: + type: string + namespace: + type: string + resources: + type: object + minProperties: 1 + properties: + kinds: + type: array + items: + type: string + name: + type: string + namespaces: + type: array + items: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + exclude: + type: object + properties: + roles: + type: array + items: + type: string + clusterRoles: + type: array + items: + type: string + subjects: + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + type: string + apiGroup: + type: string + name: + type: string + namespace: + type: string + resources: + type: object + properties: + kinds: + type: array + items: + type: string + name: + type: string + namespaces: + type: array + items: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + preconditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type + mutate: + type: object + properties: + overlay: + AnyValue: {} + patches: + type: array + items: + type: object + required: + - path + - op + properties: + path: + type: string + op: + type: string + enum: + - add + - replace + - remove + value: + AnyValue: {} + validate: + type: object + properties: + message: + type: string + pattern: + AnyValue: {} + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type + properties: + operator: + type: string + enum: + - Equal + - Equals + - NotEqual + - NotEquals + key: + type: string + value: + type: string + generate: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + namespace: + type: string + clone: + type: object + required: + - namespace + - name + properties: + namespace: + type: string + name: + type: string + data: + AnyValue: {} +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicyviolations.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Cluster + names: + kind: ClusterPolicyViolation + plural: clusterpolicyviolations + singular: clusterpolicyviolation + shortNames: + - cpolv + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + - rules + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + rules: + type: array + items: + type: object + required: + - name + - type + - message + properties: + name: + type: string + type: + type: string + message: + type: string +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Namespaced + names: + kind: PolicyViolation + plural: policyviolations + singular: policyviolation + shortNames: + - polv + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + - rules + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + rules: + type: array + items: + type: object + required: + - name + - type + - message + properties: + name: + type: string + type: + type: string + message: + type: string +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: generaterequests.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Namespaced + names: + kind: GenerateRequest + plural: generaterequests + singular: generaterequest + shortNames: + - gr + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: ResourceNamespace + type: string + description: The resource namespace that caused the violation + JSONPath: .spec.resource.namespace + - name: status + type : string + description: Current state of generate request + JSONPath: .status.state + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + namespace: + type: string \ No newline at end of file diff --git a/definitions/crds/kustomization.yaml b/definitions/crds/kustomization.yaml new file mode 100644 index 0000000000..8adb7f06ef --- /dev/null +++ b/definitions/crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./crds.yaml \ No newline at end of file diff --git a/definitions/debug/kustomization.yaml b/definitions/debug/kustomization.yaml new file mode 100644 index 0000000000..504d3a843d --- /dev/null +++ b/definitions/debug/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../crds/ +- ../rbac/ \ No newline at end of file diff --git a/definitions/install.yaml b/definitions/install.yaml index 98dc5e7881..9fce19a6c8 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -1,490 +1,475 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies - singular: clusterpolicy shortNames: - cpol + singular: clusterpolicy + scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: - status: {} spec: - required: - - rules properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creation and reports the failed validation rules as violations. Default background: type: boolean rules: - type: array items: - type: object - required: - - name - - match properties: - name: - type: string - match: - type: object - required: - - resources - properties: - roles: - type: array - items: - type: string - clusterRoles: - type: array - items: - type: string - subjects: - type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string - resources: - type: object - minProperties: 1 - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string exclude: - type: object properties: - roles: - type: array - items: - type: string clusterRoles: - type: array items: type: string - subjects: type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string resources: - type: object properties: kinds: - type: array items: type: string + type: array name: type: string namespaces: - type: array items: type: string + type: array selector: properties: - matchLabels: - type: object - additionalProperties: - type: string matchExpressions: - type: array items: - type: object - required: - - key - - operator properties: key: type: string operator: type: string values: - type: array items: type: string - preconditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: items: - type: object - required: - - path - - op properties: - path: + apiGroup: type: string - op: + kind: type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array type: object - properties: - message: - type: string - pattern: - AnyValue: {} - anyPattern: - AnyValue: {} - deny: - properties: - conditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - properties: - operator: - type: string - enum: - - Equal - - Equals - - NotEqual - - NotEquals - key: - type: string - value: - type: string generate: - type: object - required: - - kind - - name properties: + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} kind: type: string name: type: string namespace: type: string - clone: - type: object - required: - - namespace - - name + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 properties: - namespace: - type: string + kinds: + items: + type: string + type: array name: type: string - data: + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations - singular: clusterpolicyviolation shortNames: - cpolv + singular: clusterpolicyviolation + scope: Cluster subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource - - rules properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string name: type: string + required: + - kind + - name + type: object rules: - type: array items: - type: object - required: - - name - - type - - message properties: + message: + type: string name: type: string type: type: string - message: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules versions: - - name: v1 - served: true - storage: true - scope: Namespaced - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - shortNames: - - polv - subresources: - status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - required: - - policy - - resource - - rules - properties: - policy: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - message - properties: - name: - type: string - type: - type: string - message: - type: string + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Namespaced names: kind: GenerateRequest plural: generaterequests - singular: generaterequest shortNames: - gr + singular: generaterequest + scope: Namespaced subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: ResourceNamespace - type: string - description: The resource namespace that caused the violation - JSONPath: .spec.resource.namespace - - name: status - type : string - description: Current state of generate request - JSONPath: .status.state - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string - name: + name: type: string namespace: - type: string + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true --- -kind: Namespace -apiVersion: v1 -metadata: - name: "kyverno" ---- -apiVersion: v1 -kind: Service +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - namespace: kyverno - name: kyverno-svc - labels: - app: kyverno + name: policyviolations.kyverno.io spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: kyverno + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true --- apiVersion: v1 kind: ServiceAccount @@ -492,147 +477,11 @@ metadata: name: kyverno-service-account namespace: kyverno --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kyverno:policyviolations -rules: -- apiGroups: ["kyverno.io"] - resources: - - policyviolations - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:webhook -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:userinfo -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:userinfo -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:customresources -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:customresources -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:policycontroller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:policycontroller -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:generatecontroller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:generatecontroller -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:webhook -rules: -# Dynamic creation of webhooks, events & certs -- apiGroups: - - '*' - resources: - - events - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - - certificatesigningrequests/status - resourceNames: - - kubernetes.io/legacy-unknown - verbs: - - create - - delete - - get - - update - - watch -- apiGroups: - - certificates.k8s.io - resources: - - signers - resourceNames: - - kubernetes.io/legacy-unknown - verbs: - - approve ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:userinfo -rules: -# get the roleRef for incoming api-request user -- apiGroups: - - "*" - resources: - - rolebindings - - clusterrolebindings - - configmaps - verbs: - - watch ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: -# Kyverno CRs - apiGroups: - '*' resources: @@ -647,35 +496,19 @@ rules: verbs: - create - delete - - get - - list + - get + - list - patch - update - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:policycontroller -rules: -# background processing, identify all existing resources -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: -# process generate rules to generate resources - apiGroups: - - "*" + - '*' resources: - namespaces - networkpolicies @@ -691,8 +524,6 @@ rules: - update - delete - get -# dynamic watches on trigger resources for generate rules -# re-evaluate the policy if the resource is updated - apiGroups: - '*' resources: @@ -700,75 +531,267 @@ rules: verbs: - watch --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +- apiGroups: + - '*' + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - clusterpolicyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- apiVersion: v1 +data: + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno -data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + name: kyverno-svc + namespace: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: - namespace: kyverno - name: kyverno labels: app: kyverno + name: kyverno + namespace: kyverno spec: + replicas: 1 selector: matchLabels: app: kyverno - replicas: 1 template: metadata: labels: app: kyverno spec: - serviceAccountName: kyverno-service-account - initContainers: - - name: kyverno-pre - image: nirmata/kyvernopre:v1.1.6-rc3 containers: - - name: kyverno - image: nirmata/kyverno:v1.1.6-rc3 - imagePullPolicy: Always - args: - - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" - # customize webhook timeout - #- "--webhooktimeout=4" - # enable profiling - # - "--profile" - - "-v=2" - ports: - - containerPort: 443 - env: - - name: INIT_CONFIG - value: init-config - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "128Mi" - livenessProbe: - httpGet: - path: /health/liveness - port: 443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 4 - successThreshold: 1 - readinessProbe: - httpGet: - path: /health/readiness - port: 443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 4 - successThreshold: 1 + - args: + - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] + - -v=2 + env: + - name: INIT_CONFIG + value: init-config + image: nirmata/kyverno:v1.1.6 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 4 + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: kyverno + ports: + - containerPort: 443 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 50Mi + initContainers: + - image: nirmata/kyvernopre:v1.1.6 + name: kyverno-pre + serviceAccountName: kyverno-service-account diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 20e458ec85..f9b6133027 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -1,477 +1,737 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies - singular: clusterpolicy shortNames: - cpol + singular: clusterpolicy + scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: - status: {} spec: - required: - - rules properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creation and reports the failed validation rules as violations. Default background: type: boolean rules: - type: array items: - type: object - required: - - name - - match properties: - name: - type: string - match: - type: object - required: - - resources - properties: - roles: - type: array - items: - type: string - clusterRoles: - type: array - items: - type: string - subjects: - type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string - resources: - type: object - minProperties: 1 - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string exclude: - type: object properties: - roles: - type: array - items: - type: string clusterRoles: - type: array items: type: string - subjects: type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - namespace: - type: string resources: - type: object properties: kinds: - type: array items: type: string + type: array name: type: string namespaces: - type: array items: type: string + type: array selector: properties: - matchLabels: - type: object - additionalProperties: - type: string matchExpressions: - type: array items: - type: object - required: - - key - - operator properties: key: type: string operator: type: string values: - type: array items: type: string - preconditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: items: - type: object - required: - - path - - op properties: - path: + apiGroup: type: string - op: + kind: type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array type: object - properties: - message: - type: string - pattern: - AnyValue: {} - anyPattern: - AnyValue: {} - deny: - properties: - conditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - properties: - operator: - type: string - enum: - - Equal - - Equals - - NotEqual - - NotEquals - key: - type: string - value: - type: string generate: - type: object - required: - - kind - - name properties: + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} kind: type: string name: type: string namespace: type: string - clone: - type: object - required: - - namespace - - name + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 properties: - namespace: - type: string + kinds: + items: + type: string + type: array name: type: string - data: + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations - singular: clusterpolicyviolation shortNames: - cpolv + singular: clusterpolicyviolation + scope: Cluster subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource - - rules properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string name: type: string + required: + - kind + - name + type: object rules: - type: array items: - type: object - required: - - name - - type - - message properties: + message: + type: string name: type: string type: type: string - message: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules versions: - - name: v1 - served: true - storage: true - scope: Namespaced - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - shortNames: - - polv - subresources: - status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - required: - - policy - - resource - - rules - properties: - policy: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - message - properties: - name: - type: string - type: - type: string - message: - type: string + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Namespaced names: kind: GenerateRequest plural: generaterequests - singular: generaterequest shortNames: - gr + singular: generaterequest + scope: Namespaced subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: ResourceNamespace - type: string - description: The resource namespace that caused the violation - JSONPath: .spec.resource.namespace - - name: status - type: string - description: Current state of generate request - JSONPath: .status.state - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string - name: + name: type: string namespace: - type: string ---- + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true +--- apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +- apiGroups: + - '*' + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - create + - update + - delete + - get +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +- apiGroups: + - '*' + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - clusterpolicyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: v1 +data: + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno -data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + name: kyverno-svc + namespace: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml new file mode 100644 index 0000000000..fd5415e6ba --- /dev/null +++ b/definitions/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./crds/ +- ./manifest/ +- ./rbac/ \ No newline at end of file diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml new file mode 100644 index 0000000000..1a197e0d3d --- /dev/null +++ b/definitions/manifest/deployment.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: kyverno + name: kyverno + labels: + app: kyverno +spec: + selector: + matchLabels: + app: kyverno + replicas: 1 + template: + metadata: + labels: + app: kyverno + spec: + serviceAccountName: kyverno-service-account + initContainers: + - name: kyverno-pre + image: nirmata/kyvernopre:v1.1.6 + containers: + - name: kyverno + image: nirmata/kyverno:v1.1.6 + imagePullPolicy: Always + args: + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" + # customize webhook timeout + #- "--webhooktimeout=4" + # enable profiling + # - "--profile" + - "-v=2" + ports: + - containerPort: 443 + env: + - name: INIT_CONFIG + value: init-config + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "128Mi" + livenessProbe: + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 4 + successThreshold: 1 + readinessProbe: + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 4 + successThreshold: 1 diff --git a/definitions/manifest/kustomization.yaml b/definitions/manifest/kustomization.yaml new file mode 100644 index 0000000000..5fbc8ecbb3 --- /dev/null +++ b/definitions/manifest/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./deployment.yaml \ No newline at end of file diff --git a/definitions/rbac/kustomization.yaml b/definitions/rbac/kustomization.yaml new file mode 100644 index 0000000000..dbe45efc6e --- /dev/null +++ b/definitions/rbac/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./rbac.yaml \ No newline at end of file diff --git a/definitions/rbac/rbac.yaml b/definitions/rbac/rbac.yaml new file mode 100644 index 0000000000..f6cb27d727 --- /dev/null +++ b/definitions/rbac/rbac.yaml @@ -0,0 +1,266 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: "kyverno" +--- +apiVersion: v1 +kind: Service +metadata: + namespace: kyverno + name: kyverno-svc + labels: + app: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +# Dynamic creation of webhooks, events & certs +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +# get the roleRef for incoming api-request user +- apiGroups: + - "*" + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +# Kyverno CRs +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +# background processing, identify all existing resources +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +# process generate rules to generate resources +- apiGroups: + - "*" + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - create + - update + - delete + - get +# dynamic watches on trigger resources for generate rules +# re-evaluate the policy if the resource is updated +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: init-config + namespace: kyverno +data: + # resource types to be skipped by kyverno policy engine + resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:view-policyviolations + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:view-clusterpolicyviolations + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["kyverno.io"] + resources: + - clusterpolicyviolations + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/documentation/installation.md b/documentation/installation.md index dc41d0963f..db5e88015f 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -7,15 +7,19 @@ You can install Kyverno using the Helm chart or YAML files in this repository. ## Install Kyverno using Helm ```sh + ## Add the nirmata Helm repository - helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ +helm repo add kyverno https://nirmata.github.io/kyverno/ + +## Create the Kyverno namespace +kubectl create ns kyverno ## Install the kyverno helm chart -helm install --name my-release --namespace kyverno nirmata/kyverno +helm install kyverno --namespace kyverno kyverno/kyverno ``` -Note: the namespace must be `kyverno`. +Note: the namespace must be `kyverno`. See issue #841. ## Install Kyverno using YAMLs @@ -31,15 +35,15 @@ Kyverno can request a CA signed certificate-key pair from `kube-controller-manag To install Kyverno in a cluster that supports certificate signing, run the following command on a host with kubectl `cluster-admin` access: -````sh -kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml -```` - Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag. To check the Kyverno controller status, run the command: -````sh +```sh +## Install Kyverno +kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml + +## Check pod status kubectl get pods -n kyverno ```` diff --git a/documentation/kyverno-cli.md b/documentation/kyverno-cli.md index 05ae5590dc..85ff9d3b7f 100644 --- a/documentation/kyverno-cli.md +++ b/documentation/kyverno-cli.md @@ -1,10 +1,13 @@ -*[documentation](/README.md#documentation) / kyverno-cli* - +_[documentation](/README.md#documentation) / kyverno-cli_ # Kyverno CLI The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI. +## Install the CLI + +The Kyverno CLI binary is distributed with each release. You can install the CLI for your platform from the [releases](https://github.com/nirmata/kyverno/releases) site. + ## Build the CLI You can build the CLI binary locally, then move the binary into a directory in your PATH. @@ -16,6 +19,12 @@ make cli mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno ``` +You can also use curl to install kyverno-cli + +```bash +curl -L https://raw.githubusercontent.com/nirmata/kyverno/master/scripts/install-cli.sh | bash +``` + ## Install via AUR (archlinux) You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay)) @@ -30,39 +39,55 @@ yay -S kyverno-git Prints the version of kyverno used by the CLI. -Example: +Example: + ``` kyverno version ``` #### Validate -Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description -files. Currently supports files with resource description in yaml. + +Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description +files. Currently supports files with resource description in YAML. Example: + ``` kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies ``` #### Apply + Applies policies on resources, and supports applying multiple policies on multiple resources in a single command. Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster. - Will return results to stdout. +Will return results to stdout. Apply to a resource: -``` + +```bash kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml ``` Apply to all matching resources in a cluster: -``` + +```bash kyverno apply /path/to/policy.yaml --cluster > policy-results.txt ``` Apply multiple policies to multiple resources: -``` + +```bash kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster ``` +##### Exit Codes -*Read Next >> [Sample Policies](/samples/README.md)* +The CLI exits with diffenent exit codes: + +| Message | Exit Code | +| ------------------------------------- | --------- | +| executes successfully | 0 | +| one or more policy rules are violated | 1 | +| policy validation failed | 2 | + +_Read Next >> [Sample Policies](/samples/README.md)_ diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go index 56b19de4e9..97d0210e80 100755 --- a/pkg/engine/mutate/overlayCondition.go +++ b/pkg/engine/mutate/overlayCondition.go @@ -112,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat // resource - A: B2 func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) { if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { - log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource) + log.Log.V(4).Info("Found anchor on different types of element", "overlay", overlay, "resource", resource) return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)) } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index df83bc4197..d1055db2d5 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -108,7 +108,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message) } else { if ruleResponse.Success && ruleResponse.Patches != nil { - logger.V(2).Info("inserted annotation for podTemplate") + logger.V(3).Info("inserted annotation for podTemplate") resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) } } diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go index e9f0b71bb3..8cf38db99c 100644 --- a/pkg/kyverno/apply/command.go +++ b/pkg/kyverno/apply/command.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "io/ioutil" + "os" "regexp" "time" @@ -68,7 +69,8 @@ func Command() *cobra.Command { for _, policy := range policies { err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) if err != nil { - return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name)) + fmt.Printf("Policy %v is not valid\n", policy.Name) + os.Exit(3) } if policyHasVariables(*policy) { return sanitizedError.New(fmt.Sprintf("Policy %v is not valid - 'apply' does not support policies with variables", policy.Name)) @@ -89,7 +91,7 @@ func Command() *cobra.Command { resources, err := getResources(policies, resourcePaths, dClient) if err != nil { - return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error()) + return sanitizedError.NewWithError("Failed to load resources", err) } for i, policy := range policies { @@ -241,7 +243,7 @@ func getResource(path string) ([]*unstructured.Unstructured, error) { } func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error { - + responseError := false fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s\n", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName()) mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource}) @@ -252,6 +254,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } else { if len(mutateResponse.PolicyResponse.Rules) > 0 { fmt.Printf("\n\nMutation:") @@ -274,6 +277,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } else { if len(validateResponse.PolicyResponse.Rules) > 0 { fmt.Printf("\n\nValidation:") @@ -302,9 +306,13 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } } + if responseError == true{ + os.Exit(1) + } return nil } diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 4744f51d3e..050bca3ea0 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -57,7 +57,8 @@ func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) { } if errString != "" { - return nil, sanitizedError.New(("falied to extract policies")) + fmt.Println("falied to extract policies") + os.Exit(2) } policies = append(policies, getPolicies...) diff --git a/pkg/kyverno/sanitizedError/error.go b/pkg/kyverno/sanitizedError/error.go index 3c8ef003f7..9d0dbab0af 100644 --- a/pkg/kyverno/sanitizedError/error.go +++ b/pkg/kyverno/sanitizedError/error.go @@ -1,5 +1,7 @@ package sanitizedError +import "fmt" + type customError struct { message string } @@ -12,6 +14,11 @@ func New(message string) error { return customError{message: message} } +func NewWithError(message string, err error) error { + msg := fmt.Sprintf("%s \nCause: %s", message, err.Error()) + return customError{message: msg} +} + func IsErrorSanitized(err error) bool { if _, ok := err.(customError); !ok { return false diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go index a5ff93c937..a1b6f6eeaf 100644 --- a/pkg/kyverno/validate/command.go +++ b/pkg/kyverno/validate/command.go @@ -2,6 +2,7 @@ package validate import ( "fmt" + "os" "github.com/nirmata/kyverno/pkg/utils" @@ -34,15 +35,20 @@ func Command() *cobra.Command { return err } + invalidPolicyFound := false for _, policy := range policies { err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) if err != nil { fmt.Println("Policy " + policy.Name + " is invalid") + invalidPolicyFound = true } else { fmt.Println("Policy " + policy.Name + " is valid") } } + if invalidPolicyFound == true { + os.Exit(1) + } return nil }, } diff --git a/scripts/install-cli.sh b/scripts/install-cli.sh new file mode 100755 index 0000000000..dbe33b1f89 --- /dev/null +++ b/scripts/install-cli.sh @@ -0,0 +1,337 @@ +#!/bin/sh +set -e +# Code generated by godownloader on 2020-06-04T12:59:08Z. DO NOT EDIT. +# + +usage() { + this=$1 + cat </dev/null +} +echoerr() { + echo "$@" 1>&2 +} +log_prefix() { + echo "$0" +} +_logp=6 +log_set_priority() { + _logp="$1" +} +log_priority() { + if test -z "$1"; then + echo "$_logp" + return + fi + [ "$1" -le "$_logp" ] +} +log_tag() { + case $1 in + 0) echo "emerg" ;; + 1) echo "alert" ;; + 2) echo "crit" ;; + 3) echo "err" ;; + 4) echo "warning" ;; + 5) echo "notice" ;; + 6) echo "info" ;; + 7) echo "debug" ;; + *) echo "$1" ;; + esac +} +log_debug() { + log_priority 7 || return 0 + echoerr "$(log_prefix)" "$(log_tag 7)" "$@" +} +log_info() { + log_priority 6 || return 0 + echoerr "$(log_prefix)" "$(log_tag 6)" "$@" +} +log_err() { + log_priority 3 || return 0 + echoerr "$(log_prefix)" "$(log_tag 3)" "$@" +} +log_crit() { + log_priority 2 || return 0 + echoerr "$(log_prefix)" "$(log_tag 2)" "$@" +} +uname_os() { + os=$(uname -s | tr '[:upper:]' '[:lower:]') + case "$os" in + cygwin_nt*) os="windows" ;; + mingw*) os="windows" ;; + msys_nt*) os="windows" ;; + esac + echo "$os" +} +uname_arch() { + arch=$(uname -m) + case $arch in + x86_64) arch="amd64" ;; + x86) arch="386" ;; + i686) arch="386" ;; + i386) arch="386" ;; + aarch64) arch="arm64" ;; + armv5*) arch="armv5" ;; + armv6*) arch="armv6" ;; + armv7*) arch="armv7" ;; + esac + echo ${arch} +} +uname_os_check() { + os=$(uname_os) + case "$os" in + darwin) return 0 ;; + dragonfly) return 0 ;; + freebsd) return 0 ;; + linux) return 0 ;; + android) return 0 ;; + nacl) return 0 ;; + netbsd) return 0 ;; + openbsd) return 0 ;; + plan9) return 0 ;; + solaris) return 0 ;; + windows) return 0 ;; + esac + log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib" + return 1 +} +uname_arch_check() { + arch=$(uname_arch) + case "$arch" in + 386) return 0 ;; + amd64) return 0 ;; + arm64) return 0 ;; + armv5) return 0 ;; + armv6) return 0 ;; + armv7) return 0 ;; + ppc64) return 0 ;; + ppc64le) return 0 ;; + mips) return 0 ;; + mipsle) return 0 ;; + mips64) return 0 ;; + mips64le) return 0 ;; + s390x) return 0 ;; + amd64p32) return 0 ;; + esac + log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib" + return 1 +} +untar() { + tarball=$1 + case "${tarball}" in + *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;; + *.tar) tar --no-same-owner -xf "${tarball}" ;; + *.zip) unzip "${tarball}" ;; + *) + log_err "untar unknown archive format for ${tarball}" + return 1 + ;; + esac +} +http_download_curl() { + local_file=$1 + source_url=$2 + header=$3 + if [ -z "$header" ]; then + code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url") + else + code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url") + fi + if [ "$code" != "200" ]; then + log_debug "http_download_curl received HTTP status $code" + return 1 + fi + return 0 +} +http_download_wget() { + local_file=$1 + source_url=$2 + header=$3 + if [ -z "$header" ]; then + wget -q -O "$local_file" "$source_url" + else + wget -q --header "$header" -O "$local_file" "$source_url" + fi +} +http_download() { + log_debug "http_download $2" + if is_command curl; then + http_download_curl "$@" + return + elif is_command wget; then + http_download_wget "$@" + return + fi + log_crit "http_download unable to find wget or curl" + return 1 +} +http_copy() { + tmp=$(mktemp) + http_download "${tmp}" "$1" "$2" || return 1 + body=$(cat "$tmp") + rm -f "${tmp}" + echo "$body" +} +github_release() { + owner_repo=$1 + version=$2 + test -z "$version" && version="latest" + giturl="https://github.com/${owner_repo}/releases/${version}" + json=$(http_copy "$giturl" "Accept:application/json") + test -z "$json" && return 1 + version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//') + test -z "$version" && return 1 + echo "$version" +} +hash_sha256() { + TARGET=${1:-/dev/stdin} + if is_command gsha256sum; then + hash=$(gsha256sum "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command sha256sum; then + hash=$(sha256sum "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command shasum; then + hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command openssl; then + hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f a + else + log_crit "hash_sha256 unable to find command to compute sha-256 hash" + return 1 + fi +} +hash_sha256_verify() { + TARGET=$1 + checksums=$2 + if [ -z "$checksums" ]; then + log_err "hash_sha256_verify checksum file not specified in arg2" + return 1 + fi + BASENAME=${TARGET##*/} + want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) + if [ -z "$want" ]; then + log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" + return 1 + fi + got=$(hash_sha256 "$TARGET") + if [ "$want" != "$got" ]; then + log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" + return 1 + fi +} +cat /dev/null <