From 38b4f97585006768f6652ae5b0c7db781143523f Mon Sep 17 00:00:00 2001 From: shivkumar dudhani <shivkumar@nirmata.com> Date: Tue, 11 Feb 2020 13:43:36 -0800 Subject: [PATCH 1/4] use kyverno ClusterRole --- definitions/install.yaml | 85 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 80 insertions(+), 5 deletions(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index 1fb0d61762..b301c664b7 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -474,21 +474,96 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: kyvernoRole subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: policyviolation + name: kyvernoRole rules: -- apiGroups: ["kyverno.io"] +# Dynamic creation of webhooks and events +- apiGroups: + - '*' resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +# get the roleRef for incoming api-request user +- apiGroups: + - '*' + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +# Kyverno CRs +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status - policyviolations - verbs: ["get", "list", "watch"] + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +# auto rule gen for pod-controllers using annotations will be under same user + +# background processing, identify all existing resources +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list +# process generate rules to generate resources +- apiGroups: + - '*' + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + verbs: + - create + - update + - delete + - get +# dynamic watches on trigger resources for generate rules +# re-evaluate the policy if the resource is updated +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch --- apiVersion: v1 kind: ConfigMap From 6e57747cb549c0df08fdae4e5e686aedcabb697f Mon Sep 17 00:00:00 2001 From: shivkumar dudhani <shivkumar@nirmata.com> Date: Tue, 11 Feb 2020 13:46:00 -0800 Subject: [PATCH 2/4] update apiVersion for clusterRole --- definitions/install.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index b301c664b7..4dee864bce 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -480,7 +480,7 @@ subjects: name: kyverno-service-account namespace: kyverno --- -apiVersion: rbac.authorization.k8s.io/v1 +apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyvernoRole From 70ac8b1d2042e387dc799885e69c3ce1991a0e6c Mon Sep 17 00:00:00 2001 From: shivkumar dudhani <shivkumar@nirmata.com> Date: Tue, 18 Feb 2020 12:07:47 -0800 Subject: [PATCH 3/4] update documentation for kyverno role --- documentation/installation.md | 40 ++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index b81f645ccb..d1e0517289 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -81,7 +81,45 @@ Secret | Data | Content Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations. -### 3. Install Kyverno +### 3. Configure Kyverno Role +Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to ClusterRole `kyvernoRole`, which defines the default resources and operations that are permitted. + +The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs access to them. This can be done by adding the resource to default ClusterRole used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount. + + +```yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyvernoRoleGenerate +rules: +- apiGroups: + - "*" + resources: + - ResourceA # new Resource to be generated + - ResourceB + verbs: + - create # generate new resources + - get # check the contents of exiting resources + - update # update existing resource, if required configuration defined in policy is not present + - delete # clean-up, if the generate trigger resource is deleted +``` +```yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno-admin-generate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyvernoRoleGenerate # clusterRole defined above, to manage generated resources +subjects: +- kind: ServiceAccount + name: kyverno-service-account # default kyverno serviceAccount + namespace: kyverno +``` + +### 4. Install Kyverno To install a specific version, change the image tag with git tag in `install.yaml`. From c402b5602cfb54bbe8b8dc9be9f3228e88237a79 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani <shivkumar@nirmata.com> Date: Tue, 18 Feb 2020 17:10:15 -0800 Subject: [PATCH 4/4] CR fixes --- definitions/install.yaml | 90 +++++++++++++++++++++++++++++++---- documentation/installation.md | 18 +++++-- 2 files changed, 97 insertions(+), 11 deletions(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index 4dee864bce..7da196782d 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -470,22 +470,74 @@ metadata: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: - name: kyverno-admin + name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kyvernoRole + name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: kyvernoRole + name: kyverno:webhook rules: -# Dynamic creation of webhooks and events +# Dynamic creation of webhooks, events & certs - apiGroups: - '*' resources: @@ -502,15 +554,27 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: # get the roleRef for incoming api-request user - apiGroups: - - '*' + - "*" resources: - rolebindings - clusterrolebindings - configmaps verbs: - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: # Kyverno CRs - apiGroups: - '*' @@ -531,8 +595,12 @@ rules: - patch - update - watch -# auto rule gen for pod-controllers using annotations will be under same user - +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: # background processing, identify all existing resources - apiGroups: - '*' @@ -541,9 +609,15 @@ rules: verbs: - get - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: # process generate rules to generate resources - apiGroups: - - '*' + - "*" resources: - namespaces - networkpolicies diff --git a/documentation/installation.md b/documentation/installation.md index d1e0517289..b80317ab3e 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -82,20 +82,32 @@ Secret | Data | Content Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations. ### 3. Configure Kyverno Role -Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to ClusterRole `kyvernoRole`, which defines the default resources and operations that are permitted. +Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted. -The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs access to them. This can be done by adding the resource to default ClusterRole used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount. +ClusterRoles used by kyverno: +- kyverno:webhook +- kyverno:userinfo +- kyverno:customresources +- kyverno:policycontroller +- kyverno:generatecontroller +The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs permissions to create/update/delete. This can be done by adding the resource to the ClusterRole `kyverno:generatecontroller` used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount. ```yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: kyvernoRoleGenerate + name: kyverno:generatecontroller rules: - apiGroups: - "*" resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges - ResourceA # new Resource to be generated - ResourceB verbs: