diff --git a/definitions/install.yaml b/definitions/install.yaml index b72f149931..f90506cd76 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -472,25 +472,174 @@ metadata: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: kyverno-admin + name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: policyviolation + name: kyverno:webhook rules: -- apiGroups: ["kyverno.io"] +# Dynamic creation of webhooks, events & certs +- apiGroups: + - '*' resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +# get the roleRef for incoming api-request user +- apiGroups: + - "*" + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +# Kyverno CRs +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status - policyviolations - verbs: ["get", "list", "watch"] + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +# background processing, identify all existing resources +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +# process generate rules to generate resources +- apiGroups: + - "*" + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + verbs: + - create + - update + - delete + - get +# dynamic watches on trigger resources for generate rules +# re-evaluate the policy if the resource is updated +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch --- apiVersion: v1 kind: ConfigMap diff --git a/documentation/installation.md b/documentation/installation.md index b81f645ccb..b80317ab3e 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -81,7 +81,57 @@ Secret | Data | Content Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations. -### 3. Install Kyverno +### 3. Configure Kyverno Role +Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted. + +ClusterRoles used by kyverno: +- kyverno:webhook +- kyverno:userinfo +- kyverno:customresources +- kyverno:policycontroller +- kyverno:generatecontroller + +The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs permissions to create/update/delete. This can be done by adding the resource to the ClusterRole `kyverno:generatecontroller` used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount. + +```yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +- apiGroups: + - "*" + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - ResourceA # new Resource to be generated + - ResourceB + verbs: + - create # generate new resources + - get # check the contents of exiting resources + - update # update existing resource, if required configuration defined in policy is not present + - delete # clean-up, if the generate trigger resource is deleted +``` +```yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno-admin-generate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyvernoRoleGenerate # clusterRole defined above, to manage generated resources +subjects: +- kind: ServiceAccount + name: kyverno-service-account # default kyverno serviceAccount + namespace: kyverno +``` + +### 4. Install Kyverno To install a specific version, change the image tag with git tag in `install.yaml`.