diff --git a/.codeclimate.yml b/.codeclimate.yml
index 95a96cfddb..cf3023aa6f 100644
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@@ -12,7 +12,7 @@ ratings:
exclude_paths:
- documentation/
+- charts
- definitions
-- gh-pages
- samples
-- scripts
\ No newline at end of file
+- scripts
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000000..f542064542
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,50 @@
+## Related issue
+
+
+
+**What type of PR is this?**
+
+
+## Proposed changes
+
+
+
+## Checklist
+
+
+
+- [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md).
+- [ ] I have added tests that prove my fix is effective or that my feature
+ works.
+- [ ] I have added or changed [the documentation](documentation/).
+
+## Further comments
+
+
diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
deleted file mode 100644
index 7f76f9d5bf..0000000000
--- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
+++ /dev/null
@@ -1,21 +0,0 @@
-**What type of PR is this?**
-> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
->
-> /kind api-change
-> /kind bug
-> /kind cleanup
-> /kind design
-> /kind documentation
-> /kind failing-test
-> /kind feature
-
-**What this PR does / why we need it**:
-
-**Which issue(s) this PR fixes**:
-
-Fixes #
-
-**Special notes for your reviewer**:
diff --git a/.github/semantic.yml b/.github/semantic.yml
new file mode 100644
index 0000000000..bf22245188
--- /dev/null
+++ b/.github/semantic.yml
@@ -0,0 +1,17 @@
+titleOnly: true
+commitsOnly: false
+titleAndCommits: false
+
+types:
+ - feat
+ - fix
+ - revert
+ - docs
+ - style
+ - refactor
+ - test
+ - build
+ - autogen
+ - security
+ - ci
+ - chore
\ No newline at end of file
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
deleted file mode 100644
index f507810838..0000000000
--- a/.github/workflows/helm-release.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-name: helm-package
-on:
- push:
- tags:
- - "*"
- paths:
- - 'charts/kyverno/**'
-env:
- HELM_CHART_URL: "https://nirmata.github.io/kyverno/helm-charts/"
-
-jobs:
- release:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v2
- with:
- persist-credentials: false
- - name: Install Helm
- run: |
- curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get
- chmod 700 get_helm.sh
- ./get_helm.sh
- helm init --client-only
- - name: Check Chart Version
- run: |
- helm repo add evalsocket ${{ env.HELM_CHART_URL }} || (echo "Kyverno Repository not available")
- helm search nirmata/kyverno --version `cat charts/kyverno/Chart.yaml | grep '^version: [[:alnum:]]' | awk '{print $2}'` > HELM_CHART_STATUS.txt
- HELM_CHART_STATUS=`cat HELM_CHART_STATUS.txt`
- if [ "${HELM_CHART_STATUS}" != 'No results found' ]; then
- echo 'Version already exist, impossible to continue...'
- exit 1
- fi
- - name: Check sintax
- run: helm lint charts/kyverno/
- - name: Create package
- run: |
- mkdir -p output/helm-charts/
- helm package charts/kyverno/ -d output/helm-charts/
- - name: Release
- uses: JamesIves/github-pages-deploy-action@releases/v3
- with:
- ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}
- BRANCH: gh-pages
- FOLDER: output
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 37a761ec1e..6cf40217d0 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,9 +1,9 @@
-name: releaser
+name: prereleaser
on:
push:
tags:
-
+
jobs:
releaser:
@@ -20,6 +20,7 @@ jobs:
uses: actions/setup-go@v2
with:
go-version: 1.14
+ - uses: creekorful/goreportcard-action@v1.0
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
@@ -28,4 +29,12 @@ jobs:
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+ - uses: J12934/helm-gh-pages-action@master
+ name: Run Helm Publish
+ with:
+ access-token: ${{ secrets.ACCESS_TOKEN }}
+ deploy-branch: gh-pages
+ charts-folder: charts
+
+
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 04e726ebda..2595128777 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,9 +1,9 @@
-project_name: kyverno
+project_name: kyverno-cli
before:
hooks:
- go mod download
builds:
-- id: kyverno
+- id: kyverno-cli
main: cmd/cli/kubectl-kyverno/main.go
binary: kyverno
env:
@@ -16,16 +16,16 @@ builds:
- amd64
goarm: [6, 7]
archives:
-- id: kyverno-archive
+- id: kyverno-cli-archive
name_template: |-
- kyverno_{{ .Tag }}_{{ .Os }}_{{ .Arch -}}
+ kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}}
{{- with .Arm -}}
{{- if (eq . "6") -}}hf
{{- else -}}v{{- . -}}
{{- end -}}
{{- end -}}
builds:
- - kyverno
+ - kyverno-cli
replacements:
386: i386
amd64: x86_64
@@ -38,3 +38,12 @@ checksum:
algorithm: sha256
release:
prerelease: auto
+changelog:
+ sort: asc
+ filters:
+ # commit messages matching the regexp listed here will be removed from
+ # the changelog
+ exclude:
+ - '^docs:'
+ - typo
+
diff --git a/Makefile b/Makefile
index 56c3b92ddd..7645266947 100644
--- a/Makefile
+++ b/Makefile
@@ -113,4 +113,17 @@ code-cov-report: $(CODE_COVERAGE_FILE_TXT)
# transform to html format
@echo " generating code coverage report"
go tool cover -html=coverage.txt
- if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi;
\ No newline at end of file
+ if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi;
+
+# godownloader create downloading script for kyverno-cli
+godownloader:
+ godownloader .goreleaser.yml --repo nirmata/kyverno -o ./scripts/install-cli.sh --source="raw"
+
+# kustomize-crd will create install.yaml
+kustomize-crd:
+ # Create CRD for helm deployment Helm
+ kustomize build ./definitions/crds > ./charts/kyverno/crds/crds.yaml
+ # Generate install.yaml that have all resources for kyverno
+ kustomize build ./definitions > ./definitions/install.yaml
+ # Generate install_debug.yaml that for developer testing
+ kustomize build ./definitions/debug > ./definitions/install_debug.yaml
\ No newline at end of file
diff --git a/README.md b/README.md
index be1cd1eb0c..81020599e2 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,16 @@ Mutating policies can be written as overlays (similar to [Kustomize](https://kub
Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.
-**NOTE** : Your Kubernetes server must be at or later than version v1.14. To check the version, enter kubectl version.
+**NOTE** : Your Kubernetes cluster version must be above v1.14 which adds webook timeouts. To check the version, enter `kubectl version`.
+
+## Quick Start
+
+Install Kyverno:
+```console
+kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
+```
+
+You can also install using the [Helm chart](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm). As a next step, import [sample policies](https://github.com/nirmata/kyverno/blob/master/samples/README.md) and learn about [writing policies](https://github.com/nirmata/kyverno/blob/master/documentation/writing-policies.md). You can test policies using the [Kyverno cli](https://github.com/nirmata/kyverno/blob/master/documentation/kyverno-cli.md). See [docs](https://github.com/nirmata/kyverno/#documentation) for more details.
## Examples
diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index 412ac77b62..ca4633968f 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
-version: 0.0.1
-appVersion: v1.1.5
+version: 1.1.6
+appVersion: v1.1.6
description: Kubernetes Native Policy Management
keywords:
- kubernetes
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index ea311dc2bd..b84617b4cc 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -3,7 +3,7 @@
[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to
* Manage policies as Kubernetes resources.
-* Validate, mutate, and generate configurations.
+* Validate, mutate, and generate configurations for any resource.
* Select resources based on labels and wildcards.
* View policy enforcement as events.
* Detect policy violations for existing resources.
@@ -12,12 +12,10 @@
```console
## Add the nirmata Helm repository
-$ helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/
+$ helm repo add kyverno https://nirmata.github.io/kyverno
## Install the kyverno helm chart
-$ helm install --name my-release --namespace kyverno nirmata/kyverno
-
-$ helm install --create-namespace -n kyverno kyverno ./charts/kyverno
+$ helm install kyverno --namespace kyverno kyverno/kyverno
```
## Introduction
@@ -29,12 +27,16 @@ This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.i
Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno':
```console
-$ helm install --namespace kyverno kyverno ./charts/kyverno
+$ helm install kyverno --namespace kyverno kyverno ./charts/kyverno
```
-Note that Helm by default expects the namespace to already exist before running helm install. If you want Helm to create the namespace, add --create-namespace to the command.
+Note that Helm by default expects the namespace to already exist before running helm install. Create the namespace using:
-The command deploys kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+```console
+$ kubectl create ns kyverno
+```
+
+The command deploys Kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
## Uninstalling the Chart
diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
index 72b50024b6..db126cbcd0 100644
--- a/charts/kyverno/crds/crds.yaml
+++ b/charts/kyverno/crds/crds.yaml
@@ -4,465 +4,464 @@ metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
- singular: clusterpolicy
shortNames:
- cpol
+ singular: clusterpolicy
+ scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
- status: {}
spec:
- required:
- - rules
properties:
- # default values to be handled by user
- validationFailureAction:
- type: string
- enum:
- - enforce # blocks the resorce api-reques if a rule fails.
- - audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
- type: array
items:
- type: object
- required:
- - name
- - match
properties:
- name:
- type: string
- match:
- type: object
- required:
- - resources
- properties:
- roles:
- type: array
- items:
- type: string
- clusterRoles:
- type: array
- items:
- type: string
- subjects:
- type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
- resources:
- type: object
- minProperties: 1
- properties:
- kinds:
- type: array
- items:
- type: string
- name:
- type: string
- namespaces:
- type: array
- items:
- type: string
- selector:
- properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
- matchExpressions:
- type: array
- items:
- type: object
- required:
- - key
- - operator
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- type: array
- items:
- type: string
exclude:
- type: object
properties:
- roles:
- type: array
- items:
- type: string
clusterRoles:
- type: array
items:
type: string
- subjects:
type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
resources:
- type: object
properties:
kinds:
- type: array
items:
type: string
+ type: array
name:
type: string
namespaces:
- type: array
items:
type: string
+ type: array
selector:
properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
matchExpressions:
- type: array
items:
- type: object
- required:
- - key
- - operator
properties:
key:
type: string
operator:
type: string
values:
- type: array
items:
type: string
- preconditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- mutate:
- type: object
- properties:
- overlay:
- AnyValue: {}
- patches:
- type: array
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
items:
- type: object
- required:
- - path
- - op
properties:
- path:
+ apiGroup:
type: string
- op:
+ kind:
type: string
- enum:
- - add
- - replace
- - remove
- value:
- AnyValue: {}
- validate:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
type: object
- properties:
- message:
- type: string
- pattern:
- AnyValue: {}
- anyPattern:
- AnyValue: {}
- deny:
- properties:
- conditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- properties:
- operator:
- type: string
- enum:
- - Equal
- - Equals
- - NotEqual
- - NotEquals
- key:
- type: string
- value:
- type: string
generate:
- type: object
- required:
- - kind
- - name
properties:
+ clone:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - namespace
+ - name
+ type: object
+ data:
+ AnyValue: {}
kind:
type: string
name:
type: string
namespace:
type: string
- clone:
- type: object
- required:
- - namespace
- - name
+ required:
+ - kind
+ - name
+ type: object
+ match:
+ properties:
+ clusterRoles:
+ items:
+ type: string
+ type: array
+ resources:
+ minProperties: 1
properties:
- namespace:
- type: string
+ kinds:
+ items:
+ type: string
+ type: array
name:
type: string
- data:
+ namespaces:
+ items:
+ type: string
+ type: array
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
+ items:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - resources
+ type: object
+ mutate:
+ properties:
+ overlay:
AnyValue: {}
+ patches:
+ items:
+ properties:
+ op:
+ enum:
+ - add
+ - replace
+ - remove
+ type: string
+ path:
+ type: string
+ value:
+ AnyValue: {}
+ required:
+ - path
+ - op
+ type: object
+ type: array
+ type: object
+ name:
+ type: string
+ preconditions:
+ items:
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ validate:
+ properties:
+ anyPattern:
+ AnyValue: {}
+ deny:
+ properties:
+ conditions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - Equal
+ - Equals
+ - NotEqual
+ - NotEquals
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ message:
+ type: string
+ pattern:
+ AnyValue: {}
+ type: object
+ required:
+ - name
+ - match
+ type: object
+ type: array
+ validationFailureAction:
+ enum:
+ - enforce
+ - audit
+ type: string
+ required:
+ - rules
+ status: {}
+ versions:
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
- singular: clusterpolicyviolation
shortNames:
- cpolv
+ singular: clusterpolicyviolation
+ scope: Cluster
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
- - rules
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
name:
type: string
+ required:
+ - kind
+ - name
+ type: object
rules:
- type: array
items:
- type: object
- required:
- - name
- - type
- - message
properties:
+ message:
+ type: string
name:
type: string
type:
type: string
- message:
- type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: policyviolations.kyverno.io
-spec:
- group: kyverno.io
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
- names:
- kind: PolicyViolation
- plural: policyviolations
- singular: policyviolation
- shortNames:
- - polv
- subresources:
- status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
- validation:
- openAPIV3Schema:
- properties:
- spec:
- required:
- - policy
- - resource
- - rules
- properties:
- policy:
- type: string
- resource:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- name:
- type: string
- rules:
- type: array
- items:
- type: object
- required:
- - name
- - type
- - message
- properties:
- name:
- type: string
- type:
- type: string
- message:
- type: string
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .spec.resource.namespace
+ description: The resource namespace that caused the violation
+ name: ResourceNamespace
+ type: string
+ - JSONPath: .status.state
+ description: Current state of generate request
+ name: status
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
- singular: generaterequest
shortNames:
- gr
+ singular: generaterequest
+ scope: Namespaced
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: ResourceNamespace
- type: string
- description: The resource namespace that caused the violation
- JSONPath: .spec.resource.namespace
- - name: status
- type : string
- description: Current state of generate request
- JSONPath: .status.state
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
- name:
+ name:
type: string
namespace:
type: string
+ required:
+ - kind
+ - name
+ type: object
+ required:
+ - policy
+ - resource
+ versions:
+ - name: v1
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: policyviolations.kyverno.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: kyverno.io
+ names:
+ kind: PolicyViolation
+ plural: policyviolations
+ shortNames:
+ - polv
+ singular: policyviolation
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ policy:
+ type: string
+ resource:
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ rules:
+ items:
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ type:
+ type: string
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
+ versions:
+ - name: v1
+ served: true
+ storage: true
diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml
new file mode 100644
index 0000000000..aabb5ab308
--- /dev/null
+++ b/definitions/crds/crds.yaml
@@ -0,0 +1,468 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterpolicies.kyverno.io
+spec:
+ group: kyverno.io
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ scope: Cluster
+ names:
+ kind: ClusterPolicy
+ plural: clusterpolicies
+ singular: clusterpolicy
+ shortNames:
+ - cpol
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ status: {}
+ spec:
+ required:
+ - rules
+ properties:
+ # default values to be handled by user
+ validationFailureAction:
+ type: string
+ enum:
+ - enforce # blocks the resorce api-reques if a rule fails.
+ - audit # allows resource creation and reports the failed validation rules as violations. Default
+ background:
+ type: boolean
+ rules:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - match
+ properties:
+ name:
+ type: string
+ match:
+ type: object
+ required:
+ - resources
+ properties:
+ roles:
+ type: array
+ items:
+ type: string
+ clusterRoles:
+ type: array
+ items:
+ type: string
+ subjects:
+ type: array
+ items:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ apiGroup:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ resources:
+ type: object
+ minProperties: 1
+ properties:
+ kinds:
+ type: array
+ items:
+ type: string
+ name:
+ type: string
+ namespaces:
+ type: array
+ items:
+ type: string
+ selector:
+ properties:
+ matchLabels:
+ type: object
+ additionalProperties:
+ type: string
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ exclude:
+ type: object
+ properties:
+ roles:
+ type: array
+ items:
+ type: string
+ clusterRoles:
+ type: array
+ items:
+ type: string
+ subjects:
+ type: array
+ items:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ apiGroup:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ resources:
+ type: object
+ properties:
+ kinds:
+ type: array
+ items:
+ type: string
+ name:
+ type: string
+ namespaces:
+ type: array
+ items:
+ type: string
+ selector:
+ properties:
+ matchLabels:
+ type: object
+ additionalProperties:
+ type: string
+ matchExpressions:
+ type: array
+ items:
+ type: object
+ required:
+ - key
+ - operator
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ type: array
+ items:
+ type: string
+ preconditions:
+ type: array
+ items:
+ type: object
+ required:
+ - key # can be of any type
+ - operator # typed
+ - value # can be of any type
+ mutate:
+ type: object
+ properties:
+ overlay:
+ AnyValue: {}
+ patches:
+ type: array
+ items:
+ type: object
+ required:
+ - path
+ - op
+ properties:
+ path:
+ type: string
+ op:
+ type: string
+ enum:
+ - add
+ - replace
+ - remove
+ value:
+ AnyValue: {}
+ validate:
+ type: object
+ properties:
+ message:
+ type: string
+ pattern:
+ AnyValue: {}
+ anyPattern:
+ AnyValue: {}
+ deny:
+ properties:
+ conditions:
+ type: array
+ items:
+ type: object
+ required:
+ - key # can be of any type
+ - operator # typed
+ - value # can be of any type
+ properties:
+ operator:
+ type: string
+ enum:
+ - Equal
+ - Equals
+ - NotEqual
+ - NotEquals
+ key:
+ type: string
+ value:
+ type: string
+ generate:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ clone:
+ type: object
+ required:
+ - namespace
+ - name
+ properties:
+ namespace:
+ type: string
+ name:
+ type: string
+ data:
+ AnyValue: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterpolicyviolations.kyverno.io
+spec:
+ group: kyverno.io
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ scope: Cluster
+ names:
+ kind: ClusterPolicyViolation
+ plural: clusterpolicyviolations
+ singular: clusterpolicyviolation
+ shortNames:
+ - cpolv
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - name: Policy
+ type: string
+ description: The policy that resulted in the violation
+ JSONPath: .spec.policy
+ - name: ResourceKind
+ type: string
+ description: The resource kind that cause the violation
+ JSONPath: .spec.resource.kind
+ - name: ResourceName
+ type: string
+ description: The resource name that caused the violation
+ JSONPath: .spec.resource.name
+ - name: Age
+ type: date
+ JSONPath: .metadata.creationTimestamp
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ required:
+ - policy
+ - resource
+ - rules
+ properties:
+ policy:
+ type: string
+ resource:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ rules:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - type
+ - message
+ properties:
+ name:
+ type: string
+ type:
+ type: string
+ message:
+ type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: policyviolations.kyverno.io
+spec:
+ group: kyverno.io
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ scope: Namespaced
+ names:
+ kind: PolicyViolation
+ plural: policyviolations
+ singular: policyviolation
+ shortNames:
+ - polv
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - name: Policy
+ type: string
+ description: The policy that resulted in the violation
+ JSONPath: .spec.policy
+ - name: ResourceKind
+ type: string
+ description: The resource kind that cause the violation
+ JSONPath: .spec.resource.kind
+ - name: ResourceName
+ type: string
+ description: The resource name that caused the violation
+ JSONPath: .spec.resource.name
+ - name: Age
+ type: date
+ JSONPath: .metadata.creationTimestamp
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ required:
+ - policy
+ - resource
+ - rules
+ properties:
+ policy:
+ type: string
+ resource:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ rules:
+ type: array
+ items:
+ type: object
+ required:
+ - name
+ - type
+ - message
+ properties:
+ name:
+ type: string
+ type:
+ type: string
+ message:
+ type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: generaterequests.kyverno.io
+spec:
+ group: kyverno.io
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ scope: Namespaced
+ names:
+ kind: GenerateRequest
+ plural: generaterequests
+ singular: generaterequest
+ shortNames:
+ - gr
+ subresources:
+ status: {}
+ additionalPrinterColumns:
+ - name: Policy
+ type: string
+ description: The policy that resulted in the violation
+ JSONPath: .spec.policy
+ - name: ResourceKind
+ type: string
+ description: The resource kind that cause the violation
+ JSONPath: .spec.resource.kind
+ - name: ResourceName
+ type: string
+ description: The resource name that caused the violation
+ JSONPath: .spec.resource.name
+ - name: ResourceNamespace
+ type: string
+ description: The resource namespace that caused the violation
+ JSONPath: .spec.resource.namespace
+ - name: status
+ type : string
+ description: Current state of generate request
+ JSONPath: .status.state
+ - name: Age
+ type: date
+ JSONPath: .metadata.creationTimestamp
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ required:
+ - policy
+ - resource
+ properties:
+ policy:
+ type: string
+ resource:
+ type: object
+ required:
+ - kind
+ - name
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
\ No newline at end of file
diff --git a/definitions/crds/kustomization.yaml b/definitions/crds/kustomization.yaml
new file mode 100644
index 0000000000..8adb7f06ef
--- /dev/null
+++ b/definitions/crds/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./crds.yaml
\ No newline at end of file
diff --git a/definitions/debug/kustomization.yaml b/definitions/debug/kustomization.yaml
new file mode 100644
index 0000000000..504d3a843d
--- /dev/null
+++ b/definitions/debug/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../crds/
+- ../rbac/
\ No newline at end of file
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 98dc5e7881..9fce19a6c8 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -1,490 +1,475 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kyverno
+---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
- singular: clusterpolicy
shortNames:
- cpol
+ singular: clusterpolicy
+ scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
- status: {}
spec:
- required:
- - rules
properties:
- # default values to be handled by user
- validationFailureAction:
- type: string
- enum:
- - enforce # blocks the resorce api-reques if a rule fails.
- - audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
- type: array
items:
- type: object
- required:
- - name
- - match
properties:
- name:
- type: string
- match:
- type: object
- required:
- - resources
- properties:
- roles:
- type: array
- items:
- type: string
- clusterRoles:
- type: array
- items:
- type: string
- subjects:
- type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
- resources:
- type: object
- minProperties: 1
- properties:
- kinds:
- type: array
- items:
- type: string
- name:
- type: string
- namespaces:
- type: array
- items:
- type: string
- selector:
- properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
- matchExpressions:
- type: array
- items:
- type: object
- required:
- - key
- - operator
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- type: array
- items:
- type: string
exclude:
- type: object
properties:
- roles:
- type: array
- items:
- type: string
clusterRoles:
- type: array
items:
type: string
- subjects:
type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
resources:
- type: object
properties:
kinds:
- type: array
items:
type: string
+ type: array
name:
type: string
namespaces:
- type: array
items:
type: string
+ type: array
selector:
properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
matchExpressions:
- type: array
items:
- type: object
- required:
- - key
- - operator
properties:
key:
type: string
operator:
type: string
values:
- type: array
items:
type: string
- preconditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- mutate:
- type: object
- properties:
- overlay:
- AnyValue: {}
- patches:
- type: array
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
items:
- type: object
- required:
- - path
- - op
properties:
- path:
+ apiGroup:
type: string
- op:
+ kind:
type: string
- enum:
- - add
- - replace
- - remove
- value:
- AnyValue: {}
- validate:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
type: object
- properties:
- message:
- type: string
- pattern:
- AnyValue: {}
- anyPattern:
- AnyValue: {}
- deny:
- properties:
- conditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- properties:
- operator:
- type: string
- enum:
- - Equal
- - Equals
- - NotEqual
- - NotEquals
- key:
- type: string
- value:
- type: string
generate:
- type: object
- required:
- - kind
- - name
properties:
+ clone:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - namespace
+ - name
+ type: object
+ data:
+ AnyValue: {}
kind:
type: string
name:
type: string
namespace:
type: string
- clone:
- type: object
- required:
- - namespace
- - name
+ required:
+ - kind
+ - name
+ type: object
+ match:
+ properties:
+ clusterRoles:
+ items:
+ type: string
+ type: array
+ resources:
+ minProperties: 1
properties:
- namespace:
- type: string
+ kinds:
+ items:
+ type: string
+ type: array
name:
type: string
- data:
+ namespaces:
+ items:
+ type: string
+ type: array
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
+ items:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - resources
+ type: object
+ mutate:
+ properties:
+ overlay:
AnyValue: {}
+ patches:
+ items:
+ properties:
+ op:
+ enum:
+ - add
+ - replace
+ - remove
+ type: string
+ path:
+ type: string
+ value:
+ AnyValue: {}
+ required:
+ - path
+ - op
+ type: object
+ type: array
+ type: object
+ name:
+ type: string
+ preconditions:
+ items:
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ validate:
+ properties:
+ anyPattern:
+ AnyValue: {}
+ deny:
+ properties:
+ conditions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - Equal
+ - Equals
+ - NotEqual
+ - NotEquals
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ message:
+ type: string
+ pattern:
+ AnyValue: {}
+ type: object
+ required:
+ - name
+ - match
+ type: object
+ type: array
+ validationFailureAction:
+ enum:
+ - enforce
+ - audit
+ type: string
+ required:
+ - rules
+ status: {}
+ versions:
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
- singular: clusterpolicyviolation
shortNames:
- cpolv
+ singular: clusterpolicyviolation
+ scope: Cluster
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
- - rules
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
name:
type: string
+ required:
+ - kind
+ - name
+ type: object
rules:
- type: array
items:
- type: object
- required:
- - name
- - type
- - message
properties:
+ message:
+ type: string
name:
type: string
type:
type: string
- message:
- type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: policyviolations.kyverno.io
-spec:
- group: kyverno.io
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
- names:
- kind: PolicyViolation
- plural: policyviolations
- singular: policyviolation
- shortNames:
- - polv
- subresources:
- status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
- validation:
- openAPIV3Schema:
- properties:
- spec:
- required:
- - policy
- - resource
- - rules
- properties:
- policy:
- type: string
- resource:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- name:
- type: string
- rules:
- type: array
- items:
- type: object
- required:
- - name
- - type
- - message
- properties:
- name:
- type: string
- type:
- type: string
- message:
- type: string
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .spec.resource.namespace
+ description: The resource namespace that caused the violation
+ name: ResourceNamespace
+ type: string
+ - JSONPath: .status.state
+ description: Current state of generate request
+ name: status
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
- singular: generaterequest
shortNames:
- gr
+ singular: generaterequest
+ scope: Namespaced
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: ResourceNamespace
- type: string
- description: The resource namespace that caused the violation
- JSONPath: .spec.resource.namespace
- - name: status
- type : string
- description: Current state of generate request
- JSONPath: .status.state
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
- name:
+ name:
type: string
namespace:
- type: string
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ required:
+ - policy
+ - resource
+ versions:
+ - name: v1
+ served: true
+ storage: true
---
-kind: Namespace
-apiVersion: v1
-metadata:
- name: "kyverno"
----
-apiVersion: v1
-kind: Service
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
- namespace: kyverno
- name: kyverno-svc
- labels:
- app: kyverno
+ name: policyviolations.kyverno.io
spec:
- ports:
- - port: 443
- targetPort: 443
- selector:
- app: kyverno
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: kyverno.io
+ names:
+ kind: PolicyViolation
+ plural: policyviolations
+ shortNames:
+ - polv
+ singular: policyviolation
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ policy:
+ type: string
+ resource:
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ rules:
+ items:
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ type:
+ type: string
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
+ versions:
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: v1
kind: ServiceAccount
@@ -492,147 +477,11 @@ metadata:
name: kyverno-service-account
namespace: kyverno
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: kyverno:policyviolations
-rules:
-- apiGroups: ["kyverno.io"]
- resources:
- - policyviolations
- verbs: ["get", "list", "watch"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:webhook
-subjects:
-- kind: ServiceAccount
- name: kyverno-service-account
- namespace: kyverno
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:userinfo
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:userinfo
-subjects:
-- kind: ServiceAccount
- name: kyverno-service-account
- namespace: kyverno
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:customresources
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:customresources
-subjects:
-- kind: ServiceAccount
- name: kyverno-service-account
- namespace: kyverno
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:policycontroller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:policycontroller
-subjects:
-- kind: ServiceAccount
- name: kyverno-service-account
- namespace: kyverno
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:generatecontroller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:generatecontroller
-subjects:
-- kind: ServiceAccount
- name: kyverno-service-account
- namespace: kyverno
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:webhook
-rules:
-# Dynamic creation of webhooks, events & certs
-- apiGroups:
- - '*'
- resources:
- - events
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- - certificatesigningrequests
- - certificatesigningrequests/approval
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - certificates.k8s.io
- resources:
- - certificatesigningrequests
- - certificatesigningrequests/approval
- - certificatesigningrequests/status
- resourceNames:
- - kubernetes.io/legacy-unknown
- verbs:
- - create
- - delete
- - get
- - update
- - watch
-- apiGroups:
- - certificates.k8s.io
- resources:
- - signers
- resourceNames:
- - kubernetes.io/legacy-unknown
- verbs:
- - approve
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:userinfo
-rules:
-# get the roleRef for incoming api-request user
-- apiGroups:
- - "*"
- resources:
- - rolebindings
- - clusterrolebindings
- - configmaps
- verbs:
- - watch
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
-# Kyverno CRs
- apiGroups:
- '*'
resources:
@@ -647,35 +496,19 @@ rules:
verbs:
- create
- delete
- - get
- - list
+ - get
+ - list
- patch
- update
- watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:policycontroller
-rules:
-# background processing, identify all existing resources
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
-# process generate rules to generate resources
- apiGroups:
- - "*"
+ - '*'
resources:
- namespaces
- networkpolicies
@@ -691,8 +524,6 @@ rules:
- update
- delete
- get
-# dynamic watches on trigger resources for generate rules
-# re-evaluate the policy if the resource is updated
- apiGroups:
- '*'
resources:
@@ -700,75 +531,267 @@ rules:
verbs:
- watch
---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:policycontroller
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:userinfo
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - rolebindings
+ - clusterrolebindings
+ - configmaps
+ verbs:
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:webhook
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - events
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ resources:
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ - certificatesigningrequests/status
+ verbs:
+ - create
+ - delete
+ - get
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ resources:
+ - signers
+ verbs:
+ - approve
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kyverno:policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: kyverno:view-clusterpolicyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - clusterpolicyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ name: kyverno:view-policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:customresources
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:customresources
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:generatecontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:generatecontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:policycontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:policycontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:userinfo
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:userinfo
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:webhook
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
apiVersion: v1
+data:
+ resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]'
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
-data:
- # resource types to be skipped by kyverno policy engine
- resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: kyverno
+ name: kyverno-svc
+ namespace: kyverno
+spec:
+ ports:
+ - port: 443
+ targetPort: 443
+ selector:
+ app: kyverno
---
apiVersion: apps/v1
kind: Deployment
metadata:
- namespace: kyverno
- name: kyverno
labels:
app: kyverno
+ name: kyverno
+ namespace: kyverno
spec:
+ replicas: 1
selector:
matchLabels:
app: kyverno
- replicas: 1
template:
metadata:
labels:
app: kyverno
spec:
- serviceAccountName: kyverno-service-account
- initContainers:
- - name: kyverno-pre
- image: nirmata/kyvernopre:v1.1.6-rc3
containers:
- - name: kyverno
- image: nirmata/kyverno:v1.1.6-rc3
- imagePullPolicy: Always
- args:
- - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
- # customize webhook timeout
- #- "--webhooktimeout=4"
- # enable profiling
- # - "--profile"
- - "-v=2"
- ports:
- - containerPort: 443
- env:
- - name: INIT_CONFIG
- value: init-config
- resources:
- requests:
- memory: "50Mi"
- cpu: "100m"
- limits:
- memory: "128Mi"
- livenessProbe:
- httpGet:
- path: /health/liveness
- port: 443
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- failureThreshold: 4
- successThreshold: 1
- readinessProbe:
- httpGet:
- path: /health/readiness
- port: 443
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- timeoutSeconds: 5
- failureThreshold: 4
- successThreshold: 1
+ - args:
+ - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
+ - -v=2
+ env:
+ - name: INIT_CONFIG
+ value: init-config
+ image: nirmata/kyverno:v1.1.6
+ imagePullPolicy: Always
+ livenessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /health/liveness
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ name: kyverno
+ ports:
+ - containerPort: 443
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /health/readiness
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ initContainers:
+ - image: nirmata/kyvernopre:v1.1.6
+ name: kyverno-pre
+ serviceAccountName: kyverno-service-account
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 20e458ec85..f9b6133027 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -1,477 +1,737 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kyverno
+---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
- singular: clusterpolicy
shortNames:
- cpol
+ singular: clusterpolicy
+ scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
- status: {}
spec:
- required:
- - rules
properties:
- # default values to be handled by user
- validationFailureAction:
- type: string
- enum:
- - enforce # blocks the resorce api-reques if a rule fails.
- - audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
- type: array
items:
- type: object
- required:
- - name
- - match
properties:
- name:
- type: string
- match:
- type: object
- required:
- - resources
- properties:
- roles:
- type: array
- items:
- type: string
- clusterRoles:
- type: array
- items:
- type: string
- subjects:
- type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
- resources:
- type: object
- minProperties: 1
- properties:
- kinds:
- type: array
- items:
- type: string
- name:
- type: string
- namespaces:
- type: array
- items:
- type: string
- selector:
- properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
- matchExpressions:
- type: array
- items:
- type: object
- required:
- - key
- - operator
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- type: array
- items:
- type: string
exclude:
- type: object
properties:
- roles:
- type: array
- items:
- type: string
clusterRoles:
- type: array
items:
type: string
- subjects:
type: array
- items:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- apiGroup:
- type: string
- name:
- type: string
- namespace:
- type: string
resources:
- type: object
properties:
kinds:
- type: array
items:
type: string
+ type: array
name:
type: string
namespaces:
- type: array
items:
type: string
+ type: array
selector:
properties:
- matchLabels:
- type: object
- additionalProperties:
- type: string
matchExpressions:
- type: array
items:
- type: object
- required:
- - key
- - operator
properties:
key:
type: string
operator:
type: string
values:
- type: array
items:
type: string
- preconditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- mutate:
- type: object
- properties:
- overlay:
- AnyValue: {}
- patches:
- type: array
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
items:
- type: object
- required:
- - path
- - op
properties:
- path:
+ apiGroup:
type: string
- op:
+ kind:
type: string
- enum:
- - add
- - replace
- - remove
- value:
- AnyValue: {}
- validate:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
type: object
- properties:
- message:
- type: string
- pattern:
- AnyValue: {}
- anyPattern:
- AnyValue: {}
- deny:
- properties:
- conditions:
- type: array
- items:
- type: object
- required:
- - key # can be of any type
- - operator # typed
- - value # can be of any type
- properties:
- operator:
- type: string
- enum:
- - Equal
- - Equals
- - NotEqual
- - NotEquals
- key:
- type: string
- value:
- type: string
generate:
- type: object
- required:
- - kind
- - name
properties:
+ clone:
+ properties:
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - namespace
+ - name
+ type: object
+ data:
+ AnyValue: {}
kind:
type: string
name:
type: string
namespace:
type: string
- clone:
- type: object
- required:
- - namespace
- - name
+ required:
+ - kind
+ - name
+ type: object
+ match:
+ properties:
+ clusterRoles:
+ items:
+ type: string
+ type: array
+ resources:
+ minProperties: 1
properties:
- namespace:
- type: string
+ kinds:
+ items:
+ type: string
+ type: array
name:
type: string
- data:
+ namespaces:
+ items:
+ type: string
+ type: array
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ roles:
+ items:
+ type: string
+ type: array
+ subjects:
+ items:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - resources
+ type: object
+ mutate:
+ properties:
+ overlay:
AnyValue: {}
+ patches:
+ items:
+ properties:
+ op:
+ enum:
+ - add
+ - replace
+ - remove
+ type: string
+ path:
+ type: string
+ value:
+ AnyValue: {}
+ required:
+ - path
+ - op
+ type: object
+ type: array
+ type: object
+ name:
+ type: string
+ preconditions:
+ items:
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ validate:
+ properties:
+ anyPattern:
+ AnyValue: {}
+ deny:
+ properties:
+ conditions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ enum:
+ - Equal
+ - Equals
+ - NotEqual
+ - NotEquals
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - operator
+ - value
+ type: object
+ type: array
+ message:
+ type: string
+ pattern:
+ AnyValue: {}
+ type: object
+ required:
+ - name
+ - match
+ type: object
+ type: array
+ validationFailureAction:
+ enum:
+ - enforce
+ - audit
+ type: string
+ required:
+ - rules
+ status: {}
+ versions:
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Cluster
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
- singular: clusterpolicyviolation
shortNames:
- cpolv
+ singular: clusterpolicyviolation
+ scope: Cluster
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
- - rules
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
name:
type: string
+ required:
+ - kind
+ - name
+ type: object
rules:
- type: array
items:
- type: object
- required:
- - name
- - type
- - message
properties:
+ message:
+ type: string
name:
type: string
type:
type: string
- message:
- type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: policyviolations.kyverno.io
-spec:
- group: kyverno.io
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
- names:
- kind: PolicyViolation
- plural: policyviolations
- singular: policyviolation
- shortNames:
- - polv
- subresources:
- status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
- validation:
- openAPIV3Schema:
- properties:
- spec:
- required:
- - policy
- - resource
- - rules
- properties:
- policy:
- type: string
- resource:
- type: object
- required:
- - kind
- - name
- properties:
- kind:
- type: string
- name:
- type: string
- rules:
- type: array
- items:
- type: object
- required:
- - name
- - type
- - message
- properties:
- name:
- type: string
- type:
- type: string
- message:
- type: string
+ - name: v1
+ served: true
+ storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .spec.resource.namespace
+ description: The resource namespace that caused the violation
+ name: ResourceNamespace
+ type: string
+ - JSONPath: .status.state
+ description: Current state of generate request
+ name: status
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
group: kyverno.io
- versions:
- - name: v1
- served: true
- storage: true
- scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
- singular: generaterequest
shortNames:
- gr
+ singular: generaterequest
+ scope: Namespaced
subresources:
status: {}
- additionalPrinterColumns:
- - name: Policy
- type: string
- description: The policy that resulted in the violation
- JSONPath: .spec.policy
- - name: ResourceKind
- type: string
- description: The resource kind that cause the violation
- JSONPath: .spec.resource.kind
- - name: ResourceName
- type: string
- description: The resource name that caused the violation
- JSONPath: .spec.resource.name
- - name: ResourceNamespace
- type: string
- description: The resource namespace that caused the violation
- JSONPath: .spec.resource.namespace
- - name: status
- type: string
- description: Current state of generate request
- JSONPath: .status.state
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
- required:
- - policy
- - resource
properties:
policy:
type: string
resource:
- type: object
- required:
- - kind
- - name
properties:
kind:
type: string
- name:
+ name:
type: string
namespace:
- type: string
----
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ required:
+ - policy
+ - resource
+ versions:
+ - name: v1
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: policyviolations.kyverno.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .spec.policy
+ description: The policy that resulted in the violation
+ name: Policy
+ type: string
+ - JSONPath: .spec.resource.kind
+ description: The resource kind that cause the violation
+ name: ResourceKind
+ type: string
+ - JSONPath: .spec.resource.name
+ description: The resource name that caused the violation
+ name: ResourceName
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: kyverno.io
+ names:
+ kind: PolicyViolation
+ plural: policyviolations
+ shortNames:
+ - polv
+ singular: policyviolation
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ policy:
+ type: string
+ resource:
+ properties:
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ rules:
+ items:
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ type:
+ type: string
+ required:
+ - name
+ - type
+ - message
+ type: object
+ type: array
+ required:
+ - policy
+ - resource
+ - rules
+ versions:
+ - name: v1
+ served: true
+ storage: true
+---
apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:customresources
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - clusterpolicies
+ - clusterpolicies/status
+ - clusterpolicyviolations
+ - clusterpolicyviolations/status
+ - policyviolations
+ - policyviolations/status
+ - generaterequests
+ - generaterequests/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:generatecontroller
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - namespaces
+ - networkpolicies
+ - secrets
+ - configmaps
+ - resourcequotas
+ - limitranges
+ - clusterroles
+ - rolebindings
+ - clusterrolebindings
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+- apiGroups:
+ - '*'
+ resources:
+ - namespaces
+ verbs:
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:policycontroller
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:userinfo
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - rolebindings
+ - clusterrolebindings
+ - configmaps
+ verbs:
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:webhook
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - events
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ resources:
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ - certificatesigningrequests/status
+ verbs:
+ - create
+ - delete
+ - get
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ resources:
+ - signers
+ verbs:
+ - approve
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kyverno:policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+ name: kyverno:view-clusterpolicyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - clusterpolicyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ name: kyverno:view-policyviolations
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyviolations
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:customresources
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:customresources
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:generatecontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:generatecontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:policycontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:policycontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:userinfo
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:userinfo
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kyverno:webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:webhook
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: v1
+data:
+ resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]'
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
-data:
- # resource types to be skipped by kyverno policy engine
- resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: kyverno
+ name: kyverno-svc
+ namespace: kyverno
+spec:
+ ports:
+ - port: 443
+ targetPort: 443
+ selector:
+ app: kyverno
diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml
new file mode 100644
index 0000000000..fd5415e6ba
--- /dev/null
+++ b/definitions/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./crds/
+- ./manifest/
+- ./rbac/
\ No newline at end of file
diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml
new file mode 100644
index 0000000000..1a197e0d3d
--- /dev/null
+++ b/definitions/manifest/deployment.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: kyverno
+ name: kyverno
+ labels:
+ app: kyverno
+spec:
+ selector:
+ matchLabels:
+ app: kyverno
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: kyverno
+ spec:
+ serviceAccountName: kyverno-service-account
+ initContainers:
+ - name: kyverno-pre
+ image: nirmata/kyvernopre:v1.1.6
+ containers:
+ - name: kyverno
+ image: nirmata/kyverno:v1.1.6
+ imagePullPolicy: Always
+ args:
+ - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
+ # customize webhook timeout
+ #- "--webhooktimeout=4"
+ # enable profiling
+ # - "--profile"
+ - "-v=2"
+ ports:
+ - containerPort: 443
+ env:
+ - name: INIT_CONFIG
+ value: init-config
+ resources:
+ requests:
+ memory: "50Mi"
+ cpu: "100m"
+ limits:
+ memory: "128Mi"
+ livenessProbe:
+ httpGet:
+ path: /health/liveness
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 4
+ successThreshold: 1
+ readinessProbe:
+ httpGet:
+ path: /health/readiness
+ port: 443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 5
+ failureThreshold: 4
+ successThreshold: 1
diff --git a/definitions/manifest/kustomization.yaml b/definitions/manifest/kustomization.yaml
new file mode 100644
index 0000000000..5fbc8ecbb3
--- /dev/null
+++ b/definitions/manifest/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./deployment.yaml
\ No newline at end of file
diff --git a/definitions/rbac/kustomization.yaml b/definitions/rbac/kustomization.yaml
new file mode 100644
index 0000000000..dbe45efc6e
--- /dev/null
+++ b/definitions/rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./rbac.yaml
\ No newline at end of file
diff --git a/definitions/rbac/rbac.yaml b/definitions/rbac/rbac.yaml
new file mode 100644
index 0000000000..f6cb27d727
--- /dev/null
+++ b/definitions/rbac/rbac.yaml
@@ -0,0 +1,266 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+ name: "kyverno"
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: kyverno
+ name: kyverno-svc
+ labels:
+ app: kyverno
+spec:
+ ports:
+ - port: 443
+ targetPort: 443
+ selector:
+ app: kyverno
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kyverno:policyviolations
+rules:
+- apiGroups: ["kyverno.io"]
+ resources:
+ - policyviolations
+ verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:webhook
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:webhook
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:userinfo
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:userinfo
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:customresources
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:customresources
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:policycontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:policycontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:generatecontroller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:generatecontroller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-service-account
+ namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:webhook
+rules:
+# Dynamic creation of webhooks, events & certs
+- apiGroups:
+ - '*'
+ resources:
+ - events
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resources:
+ - certificatesigningrequests
+ - certificatesigningrequests/approval
+ - certificatesigningrequests/status
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ verbs:
+ - create
+ - delete
+ - get
+ - update
+ - watch
+- apiGroups:
+ - certificates.k8s.io
+ resources:
+ - signers
+ resourceNames:
+ - kubernetes.io/legacy-unknown
+ verbs:
+ - approve
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:userinfo
+rules:
+# get the roleRef for incoming api-request user
+- apiGroups:
+ - "*"
+ resources:
+ - rolebindings
+ - clusterrolebindings
+ - configmaps
+ verbs:
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:customresources
+rules:
+# Kyverno CRs
+- apiGroups:
+ - '*'
+ resources:
+ - clusterpolicies
+ - clusterpolicies/status
+ - clusterpolicyviolations
+ - clusterpolicyviolations/status
+ - policyviolations
+ - policyviolations/status
+ - generaterequests
+ - generaterequests/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:policycontroller
+rules:
+# background processing, identify all existing resources
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:generatecontroller
+rules:
+# process generate rules to generate resources
+- apiGroups:
+ - "*"
+ resources:
+ - namespaces
+ - networkpolicies
+ - secrets
+ - configmaps
+ - resourcequotas
+ - limitranges
+ - clusterroles
+ - rolebindings
+ - clusterrolebindings
+ verbs:
+ - create
+ - update
+ - delete
+ - get
+# dynamic watches on trigger resources for generate rules
+# re-evaluate the policy if the resource is updated
+- apiGroups:
+ - '*'
+ resources:
+ - namespaces
+ verbs:
+ - watch
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: init-config
+ namespace: kyverno
+data:
+ # resource types to be skipped by kyverno policy engine
+ resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kyverno:view-policyviolations
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups: ["kyverno.io"]
+ resources:
+ - policyviolations
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: kyverno:view-clusterpolicyviolations
+ labels:
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups: ["kyverno.io"]
+ resources:
+ - clusterpolicyviolations
+ verbs: ["get", "list", "watch"]
\ No newline at end of file
diff --git a/documentation/installation.md b/documentation/installation.md
index dc41d0963f..db5e88015f 100644
--- a/documentation/installation.md
+++ b/documentation/installation.md
@@ -7,15 +7,19 @@ You can install Kyverno using the Helm chart or YAML files in this repository.
## Install Kyverno using Helm
```sh
+
## Add the nirmata Helm repository
- helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/
+helm repo add kyverno https://nirmata.github.io/kyverno/
+
+## Create the Kyverno namespace
+kubectl create ns kyverno
## Install the kyverno helm chart
-helm install --name my-release --namespace kyverno nirmata/kyverno
+helm install kyverno --namespace kyverno kyverno/kyverno
```
-Note: the namespace must be `kyverno`.
+Note: the namespace must be `kyverno`. See issue #841.
## Install Kyverno using YAMLs
@@ -31,15 +35,15 @@ Kyverno can request a CA signed certificate-key pair from `kube-controller-manag
To install Kyverno in a cluster that supports certificate signing, run the following command on a host with kubectl `cluster-admin` access:
-````sh
-kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
-````
-
Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag.
To check the Kyverno controller status, run the command:
-````sh
+```sh
+## Install Kyverno
+kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
+
+## Check pod status
kubectl get pods -n kyverno
````
diff --git a/documentation/kyverno-cli.md b/documentation/kyverno-cli.md
index 05ae5590dc..85ff9d3b7f 100644
--- a/documentation/kyverno-cli.md
+++ b/documentation/kyverno-cli.md
@@ -1,10 +1,13 @@
-*[documentation](/README.md#documentation) / kyverno-cli*
-
+_[documentation](/README.md#documentation) / kyverno-cli_
# Kyverno CLI
The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI.
+## Install the CLI
+
+The Kyverno CLI binary is distributed with each release. You can install the CLI for your platform from the [releases](https://github.com/nirmata/kyverno/releases) site.
+
## Build the CLI
You can build the CLI binary locally, then move the binary into a directory in your PATH.
@@ -16,6 +19,12 @@ make cli
mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
```
+You can also use curl to install kyverno-cli
+
+```bash
+curl -L https://raw.githubusercontent.com/nirmata/kyverno/master/scripts/install-cli.sh | bash
+```
+
## Install via AUR (archlinux)
You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))
@@ -30,39 +39,55 @@ yay -S kyverno-git
Prints the version of kyverno used by the CLI.
-Example:
+Example:
+
```
kyverno version
```
#### Validate
-Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description
-files. Currently supports files with resource description in yaml.
+
+Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description
+files. Currently supports files with resource description in YAML.
Example:
+
```
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
```
#### Apply
+
Applies policies on resources, and supports applying multiple policies on multiple resources in a single command.
Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster.
- Will return results to stdout.
+Will return results to stdout.
Apply to a resource:
-```
+
+```bash
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
```
Apply to all matching resources in a cluster:
-```
+
+```bash
kyverno apply /path/to/policy.yaml --cluster > policy-results.txt
```
Apply multiple policies to multiple resources:
-```
+
+```bash
kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster
```
+##### Exit Codes
-*Read Next >> [Sample Policies](/samples/README.md)*
+The CLI exits with diffenent exit codes:
+
+| Message | Exit Code |
+| ------------------------------------- | --------- |
+| executes successfully | 0 |
+| one or more policy rules are violated | 1 |
+| policy validation failed | 2 |
+
+_Read Next >> [Sample Policies](/samples/README.md)_
diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go
index 56b19de4e9..97d0210e80 100755
--- a/pkg/engine/mutate/overlayCondition.go
+++ b/pkg/engine/mutate/overlayCondition.go
@@ -112,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
// resource - A: B2
func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) {
if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
- log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
+ log.Log.V(4).Info("Found anchor on different types of element", "overlay", overlay, "resource", resource)
return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource))
}
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index df83bc4197..d1055db2d5 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -108,7 +108,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
} else {
if ruleResponse.Success && ruleResponse.Patches != nil {
- logger.V(2).Info("inserted annotation for podTemplate")
+ logger.V(3).Info("inserted annotation for podTemplate")
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
}
}
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index e9f0b71bb3..8cf38db99c 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"io/ioutil"
+ "os"
"regexp"
"time"
@@ -68,7 +69,8 @@ func Command() *cobra.Command {
for _, policy := range policies {
err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController)
if err != nil {
- return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
+ fmt.Printf("Policy %v is not valid\n", policy.Name)
+ os.Exit(3)
}
if policyHasVariables(*policy) {
return sanitizedError.New(fmt.Sprintf("Policy %v is not valid - 'apply' does not support policies with variables", policy.Name))
@@ -89,7 +91,7 @@ func Command() *cobra.Command {
resources, err := getResources(policies, resourcePaths, dClient)
if err != nil {
- return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error())
+ return sanitizedError.NewWithError("Failed to load resources", err)
}
for i, policy := range policies {
@@ -241,7 +243,7 @@ func getResource(path string) ([]*unstructured.Unstructured, error) {
}
func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error {
-
+ responseError := false
fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s\n", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName())
mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource})
@@ -252,6 +254,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message)
}
fmt.Printf("\n\n")
+ responseError = true
} else {
if len(mutateResponse.PolicyResponse.Rules) > 0 {
fmt.Printf("\n\nMutation:")
@@ -274,6 +277,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message)
}
fmt.Printf("\n\n")
+ responseError = true
} else {
if len(validateResponse.PolicyResponse.Rules) > 0 {
fmt.Printf("\n\nValidation:")
@@ -302,9 +306,13 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message)
}
fmt.Printf("\n\n")
+ responseError = true
}
}
+ if responseError == true{
+ os.Exit(1)
+ }
return nil
}
diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go
index 4744f51d3e..050bca3ea0 100644
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@@ -57,7 +57,8 @@ func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) {
}
if errString != "" {
- return nil, sanitizedError.New(("falied to extract policies"))
+ fmt.Println("falied to extract policies")
+ os.Exit(2)
}
policies = append(policies, getPolicies...)
diff --git a/pkg/kyverno/sanitizedError/error.go b/pkg/kyverno/sanitizedError/error.go
index 3c8ef003f7..9d0dbab0af 100644
--- a/pkg/kyverno/sanitizedError/error.go
+++ b/pkg/kyverno/sanitizedError/error.go
@@ -1,5 +1,7 @@
package sanitizedError
+import "fmt"
+
type customError struct {
message string
}
@@ -12,6 +14,11 @@ func New(message string) error {
return customError{message: message}
}
+func NewWithError(message string, err error) error {
+ msg := fmt.Sprintf("%s \nCause: %s", message, err.Error())
+ return customError{message: msg}
+}
+
func IsErrorSanitized(err error) bool {
if _, ok := err.(customError); !ok {
return false
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index a5ff93c937..a1b6f6eeaf 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -2,6 +2,7 @@ package validate
import (
"fmt"
+ "os"
"github.com/nirmata/kyverno/pkg/utils"
@@ -34,15 +35,20 @@ func Command() *cobra.Command {
return err
}
+ invalidPolicyFound := false
for _, policy := range policies {
err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController)
if err != nil {
fmt.Println("Policy " + policy.Name + " is invalid")
+ invalidPolicyFound = true
} else {
fmt.Println("Policy " + policy.Name + " is valid")
}
}
+ if invalidPolicyFound == true {
+ os.Exit(1)
+ }
return nil
},
}
diff --git a/scripts/install-cli.sh b/scripts/install-cli.sh
new file mode 100755
index 0000000000..dbe33b1f89
--- /dev/null
+++ b/scripts/install-cli.sh
@@ -0,0 +1,337 @@
+#!/bin/sh
+set -e
+# Code generated by godownloader on 2020-06-04T12:59:08Z. DO NOT EDIT.
+#
+
+usage() {
+ this=$1
+ cat </dev/null
+}
+echoerr() {
+ echo "$@" 1>&2
+}
+log_prefix() {
+ echo "$0"
+}
+_logp=6
+log_set_priority() {
+ _logp="$1"
+}
+log_priority() {
+ if test -z "$1"; then
+ echo "$_logp"
+ return
+ fi
+ [ "$1" -le "$_logp" ]
+}
+log_tag() {
+ case $1 in
+ 0) echo "emerg" ;;
+ 1) echo "alert" ;;
+ 2) echo "crit" ;;
+ 3) echo "err" ;;
+ 4) echo "warning" ;;
+ 5) echo "notice" ;;
+ 6) echo "info" ;;
+ 7) echo "debug" ;;
+ *) echo "$1" ;;
+ esac
+}
+log_debug() {
+ log_priority 7 || return 0
+ echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+}
+log_info() {
+ log_priority 6 || return 0
+ echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+}
+log_err() {
+ log_priority 3 || return 0
+ echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
+}
+log_crit() {
+ log_priority 2 || return 0
+ echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
+}
+uname_os() {
+ os=$(uname -s | tr '[:upper:]' '[:lower:]')
+ case "$os" in
+ cygwin_nt*) os="windows" ;;
+ mingw*) os="windows" ;;
+ msys_nt*) os="windows" ;;
+ esac
+ echo "$os"
+}
+uname_arch() {
+ arch=$(uname -m)
+ case $arch in
+ x86_64) arch="amd64" ;;
+ x86) arch="386" ;;
+ i686) arch="386" ;;
+ i386) arch="386" ;;
+ aarch64) arch="arm64" ;;
+ armv5*) arch="armv5" ;;
+ armv6*) arch="armv6" ;;
+ armv7*) arch="armv7" ;;
+ esac
+ echo ${arch}
+}
+uname_os_check() {
+ os=$(uname_os)
+ case "$os" in
+ darwin) return 0 ;;
+ dragonfly) return 0 ;;
+ freebsd) return 0 ;;
+ linux) return 0 ;;
+ android) return 0 ;;
+ nacl) return 0 ;;
+ netbsd) return 0 ;;
+ openbsd) return 0 ;;
+ plan9) return 0 ;;
+ solaris) return 0 ;;
+ windows) return 0 ;;
+ esac
+ log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
+ return 1
+}
+uname_arch_check() {
+ arch=$(uname_arch)
+ case "$arch" in
+ 386) return 0 ;;
+ amd64) return 0 ;;
+ arm64) return 0 ;;
+ armv5) return 0 ;;
+ armv6) return 0 ;;
+ armv7) return 0 ;;
+ ppc64) return 0 ;;
+ ppc64le) return 0 ;;
+ mips) return 0 ;;
+ mipsle) return 0 ;;
+ mips64) return 0 ;;
+ mips64le) return 0 ;;
+ s390x) return 0 ;;
+ amd64p32) return 0 ;;
+ esac
+ log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib"
+ return 1
+}
+untar() {
+ tarball=$1
+ case "${tarball}" in
+ *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
+ *.tar) tar --no-same-owner -xf "${tarball}" ;;
+ *.zip) unzip "${tarball}" ;;
+ *)
+ log_err "untar unknown archive format for ${tarball}"
+ return 1
+ ;;
+ esac
+}
+http_download_curl() {
+ local_file=$1
+ source_url=$2
+ header=$3
+ if [ -z "$header" ]; then
+ code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
+ else
+ code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
+ fi
+ if [ "$code" != "200" ]; then
+ log_debug "http_download_curl received HTTP status $code"
+ return 1
+ fi
+ return 0
+}
+http_download_wget() {
+ local_file=$1
+ source_url=$2
+ header=$3
+ if [ -z "$header" ]; then
+ wget -q -O "$local_file" "$source_url"
+ else
+ wget -q --header "$header" -O "$local_file" "$source_url"
+ fi
+}
+http_download() {
+ log_debug "http_download $2"
+ if is_command curl; then
+ http_download_curl "$@"
+ return
+ elif is_command wget; then
+ http_download_wget "$@"
+ return
+ fi
+ log_crit "http_download unable to find wget or curl"
+ return 1
+}
+http_copy() {
+ tmp=$(mktemp)
+ http_download "${tmp}" "$1" "$2" || return 1
+ body=$(cat "$tmp")
+ rm -f "${tmp}"
+ echo "$body"
+}
+github_release() {
+ owner_repo=$1
+ version=$2
+ test -z "$version" && version="latest"
+ giturl="https://github.com/${owner_repo}/releases/${version}"
+ json=$(http_copy "$giturl" "Accept:application/json")
+ test -z "$json" && return 1
+ version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
+ test -z "$version" && return 1
+ echo "$version"
+}
+hash_sha256() {
+ TARGET=${1:-/dev/stdin}
+ if is_command gsha256sum; then
+ hash=$(gsha256sum "$TARGET") || return 1
+ echo "$hash" | cut -d ' ' -f 1
+ elif is_command sha256sum; then
+ hash=$(sha256sum "$TARGET") || return 1
+ echo "$hash" | cut -d ' ' -f 1
+ elif is_command shasum; then
+ hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
+ echo "$hash" | cut -d ' ' -f 1
+ elif is_command openssl; then
+ hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
+ echo "$hash" | cut -d ' ' -f a
+ else
+ log_crit "hash_sha256 unable to find command to compute sha-256 hash"
+ return 1
+ fi
+}
+hash_sha256_verify() {
+ TARGET=$1
+ checksums=$2
+ if [ -z "$checksums" ]; then
+ log_err "hash_sha256_verify checksum file not specified in arg2"
+ return 1
+ fi
+ BASENAME=${TARGET##*/}
+ want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
+ if [ -z "$want" ]; then
+ log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
+ return 1
+ fi
+ got=$(hash_sha256 "$TARGET")
+ if [ "$want" != "$got" ]; then
+ log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
+ return 1
+ fi
+}
+cat /dev/null <