Merge pull request #694 from nirmata/688_addClusterRole

kyverno ClusterRole

definitions/install.yaml

@@ -472,25 +472,174 @@ metadata:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: kyverno-admin
+  name: kyverno:webhook
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: kyverno:webhook
 subjects:
 - kind: ServiceAccount
   name: kyverno-service-account
   namespace: kyverno
 ---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:userinfo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:userinfo
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:customresources
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:customresources
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:policycontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:policycontroller
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:generatecontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:generatecontroller
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: policyviolation
+  name: kyverno:webhook
 rules:
-- apiGroups: ["kyverno.io"]
+# Dynamic creation of webhooks, events & certs
+- apiGroups:
+  - '*'
   resources:
+  - events
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  - certificatesigningrequests
+  - certificatesigningrequests/approval
+  verbs:
+  - create
+  - delete
+  - get 
+  - list
+  - patch
+  - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:userinfo
+rules:
+# get the roleRef for incoming api-request user
+- apiGroups:
+  - "*"
+  resources:
+  - rolebindings
+  - clusterrolebindings
+  - configmaps
+  verbs:
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:customresources
+rules:
+# Kyverno CRs
+- apiGroups:
+  - '*'
+  resources:
+  - clusterpolicies
+  - clusterpolicies/status
+  - clusterpolicyviolations
+  - clusterpolicyviolations/status
   - policyviolations
-  verbs: ["get", "list", "watch"]
+  - policyviolations/status
+  - generaterequests
+  - generaterequests/status
+  verbs:
+  - create
+  - delete
+  - get 
+  - list 
+  - patch
+  - update
+  - watch
+---  
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:policycontroller
+rules:
+# background processing, identify all existing resources
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:generatecontroller
+rules:
+# process generate rules to generate resources
+- apiGroups:
+  - "*"
+  resources:
+  - namespaces
+  - networkpolicies
+  - secrets
+  - configmaps
+  - resourcequotas
+  - limitranges
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+# dynamic watches on trigger resources for generate rules
+# re-evaluate the policy if the resource is updated
+- apiGroups:
+  - '*'
+  resources:
+  - namespaces
+  verbs:
+  - watch  
 ---
 apiVersion: v1
 kind: ConfigMap

documentation/installation.md

@@ -81,7 +81,57 @@ Secret | Data | Content
 
 Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations.
 
-### 3. Install Kyverno
+### 3. Configure Kyverno Role
+Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted.
+
+ClusterRoles used by kyverno:
+- kyverno:webhook
+- kyverno:userinfo
+- kyverno:customresources
+- kyverno:policycontroller
+- kyverno:generatecontroller
+
+The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs permissions to create/update/delete. This can be done by adding the resource to the ClusterRole `kyverno:generatecontroller` used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:generatecontroller
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - namespaces
+  - networkpolicies
+  - secrets
+  - configmaps
+  - resourcequotas
+  - limitranges
+  - ResourceA # new Resource to be generated
+  - ResourceB
+  verbs:
+  - create # generate new resources
+  - get # check the contents of exiting resources
+  - update # update existing resource, if required configuration defined in policy is not present
+  - delete # clean-up, if the generate trigger resource is deleted
+```
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno-admin-generate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyvernoRoleGenerate # clusterRole defined above, to manage generated resources
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account # default kyverno serviceAccount
+  namespace: kyverno
+```
+
+### 4. Install Kyverno
 
 To install a specific version, change the image tag with git tag in `install.yaml`.