mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

Merge branch 'master' into policyreport

Browse source 
# Conflicts:
#	charts/kyverno/values.yaml
This commit is contained in:
Shuting Zhao 2020-10-22 20:35:22 -07:00
commit 36c549ea22
20 changed files with 155 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/kyverno/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
version: 1.2.0
appVersion: v1.2.0
version: 1.2.1
appVersion: v1.2.1
icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
description: Kubernetes Native Policy Management
keywords:

1
charts/kyverno/README.md
View file

@ -70,6 +70,7 @@ Parameter | Description | Default
`initImage.tag` | Init image tag | `nil`
`livenessProbe` | liveness probe configuration | `{}`
`nameOverride` | override the name of the chart | `nil`
`namespace` | namespace the chart deploy to | `nil`
`nodeSelector` | node labels for pod assignment | `{}`
`podAnnotations` | annotations to add to each pod | `{}`
`podLabels` | additional labels to add to each pod | `{}`

12
charts/kyverno/templates/_helpers.tpl
View file

@ -47,6 +47,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
{{- end -}}
{{/* Get the namespace name. */}}
{{- define "kyverno.namespace" -}}
{{- if .Values.namespace -}}
{{- .Values.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/* Create the name of the service to use */}}
{{- define "kyverno.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
@ -59,4 +69,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- else -}}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- end -}}

12
charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -10,7 +10,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -23,7 +23,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -36,7 +36,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -49,8 +49,8 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -62,5 +62,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

4
charts/kyverno/templates/configmap.yaml
View file

@ -4,7 +4,7 @@ kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.configMapName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
data:
# resource types to be skipped by kyverno policy engine
{{- if .Values.config.resourceFilters }}
@ -16,4 +16,4 @@ data:
{{- if .Values.config.excludeUsername }}
excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
{{- end -}}
{{- end -}}
{{- end -}}

22
charts/kyverno/templates/deployment.yaml
View file

@ -3,7 +3,7 @@ kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
spec:
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
@ -41,6 +41,15 @@ spec:
- name: kyverno-pre
image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
containers:
- name: kyverno
image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
@ -51,8 +60,17 @@ spec:
{{- with .Values.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
env:

8
charts/kyverno/templates/secret.yaml
View file

@ -1,10 +1,10 @@
{{- if .Values.createSelfSignedCert }}
{{- $ca := .ca | default (genCA (printf "*.%s.svc" .Release.Namespace) 1024) -}}
{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) .Release.Namespace) nil nil 1024 $ca -}}
{{- $ca := .ca | default (genCA (printf "*.%s.svc" "kyverno.namespace") 1024) -}}
{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) "kyverno.namespace") nil nil 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-ca
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
labels: {{ include "kyverno.labels" . | nindent 4 }}
data:
rootCA.crt: {{ $ca.Cert | b64enc }}
@ -12,7 +12,7 @@ data:
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-pair
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
labels: {{ include "kyverno.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"

2
charts/kyverno/templates/service.yaml
View file

@ -3,7 +3,7 @@ kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
namespace: {{ .Release.Namespace }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}

4
charts/kyverno/templates/serviceaccount.yaml
View file

@ -7,5 +7,5 @@ metadata:
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

5
charts/kyverno/values.yaml
View file

@ -1,5 +1,6 @@
nameOverride:
fullnameOverride:
namespace:
rbac:
create: true
@ -55,7 +56,7 @@ resources:
livenessProbe:
httpGet:
path: /health/liveness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
@ -69,7 +70,7 @@ livenessProbe:
readinessProbe:
httpGet:
path: /health/readiness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10

34
definitions/install.yaml
View file

@ -2498,7 +2498,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno
---
@ -2532,13 +2532,13 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.2.0
image: nirmata/kyverno:v1.2.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
httpGet:
path: /health/liveness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -2546,12 +2546,14 @@ spec:
timeoutSeconds: 5
name: kyverno
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /health/readiness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -2563,8 +2565,28 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
initContainers:
- image: nirmata/kyvernopre:v1.2.0
- image: nirmata/kyvernopre:v1.2.1
imagePullPolicy: Always
name: kyverno-pre
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account

2
definitions/install_debug.yaml
View file

@ -2498,6 +2498,6 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno

2
definitions/k8s-resource/rbac.yaml
View file

@ -14,7 +14,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno
---

4
definitions/kustomization.yaml
View file

@ -8,7 +8,7 @@ resources:
images:
- name: nirmata/kyverno
newName: nirmata/kyverno
newTag: v1.2.0
newTag: v1.2.1
- name: nirmata/kyvernopre
newName: nirmata/kyvernopre
newTag: v1.2.0
newTag: v1.2.1

31
definitions/manifest/deployment.yaml
View file

@ -17,13 +17,24 @@ spec:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
securityContext:
runAsNonRoot: true
initContainers:
- name: kyverno-pre
image: nirmata/kyvernopre:v1.1.9
imagePullPolicy: Always
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
containers:
- name: kyverno
image: nirmata/kyverno:v1.1.9
image: nirmata/kyverno:latest
imagePullPolicy: Always
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
@ -33,7 +44,9 @@ spec:
# - "--profile"
- "-v=2"
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
env:
- name: INIT_CONFIG
value: init-config
@ -43,6 +56,15 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
resources:
requests:
memory: "50Mi"
@ -52,7 +74,7 @@ spec:
livenessProbe:
httpGet:
path: /health/liveness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -62,11 +84,10 @@ spec:
readinessProbe:
httpGet:
path: /health/readiness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1

34
definitions/release/install.yaml
View file

@ -1043,7 +1043,7 @@ metadata:
spec:
ports:
- port: 443
targetPort: 443
targetPort: https
selector:
app: kyverno
---
@ -1077,13 +1077,13 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: nirmata/kyverno:v1.2.0
image: nirmata/kyverno:v1.2.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
httpGet:
path: /health/liveness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -1091,12 +1091,14 @@ spec:
timeoutSeconds: 5
name: kyverno
ports:
- containerPort: 443
- containerPort: 9443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /health/readiness
port: 443
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@ -1108,8 +1110,28 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
initContainers:
- image: nirmata/kyvernopre:v1.2.0
- image: nirmata/kyvernopre:v1.2.1
imagePullPolicy: Always
name: kyverno-pre
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account

10
pkg/engine/validate/common.go
View file

@ -5,8 +5,12 @@ import (
"strconv"
)
// convertToString converts value to string
func convertToString(value interface{}) (string, error) {
// convertNumberToString converts value to string
func convertNumberToString(value interface{}) (string, error) {
if value == nil {
return "0", nil
}
switch typed := value.(type) {
case string:
return string(typed), nil
@ -17,7 +21,7 @@ func convertToString(value interface{}) (string, error) {
case int:
return strconv.Itoa(typed), nil
default:
return "", fmt.Errorf("Could not convert %T to string", value)
return "", fmt.Errorf("could not convert %v to string", typed)
}
}

2
pkg/engine/validate/pattern.go
View file

@ -224,7 +224,7 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator
// validateNumberWithStr compares quantity if pattern type is quantity
// or a wildcard match to pattern string
func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
typedValue, err := convertToString(value)
typedValue, err := convertNumberToString(value)
if err != nil {
log.Error(err, "failed to convert to string")
return false

10
pkg/webhooks/server.go
View file

@ -43,7 +43,7 @@ import (
// WebhookServer contains configured TLS server with MutationWebhook.
type WebhookServer struct {
server http.Server
server *http.Server
client *client.Client
kyvernoClient *kyvernoclient.Clientset
@ -213,8 +213,8 @@ func NewWebhookServer(
w.WriteHeader(http.StatusOK)
})
ws.server = http.Server{
Addr: ":443", // Listen on port for HTTPS requests
ws.server = &http.Server{
Addr: ":9443", // Listen on port for HTTPS requests
TLSConfig: &tlsConfig,
Handler: mux,
ReadTimeout: 15 * time.Second,
@ -511,12 +511,12 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
logger.Info("failed to sync informer cache")
}
go func(ws *WebhookServer) {
go func () {
logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
logger.Error(err, "failed to listen to requests")
}
}(ws)
}()
logger.Info("starting")
// verifies if the admission control is enabled and active

4
scripts/verify-deployment.sh
View file

@ -20,6 +20,10 @@ monitor_timeout() {
local -r wait_pid="$1"
sleep "${timeout}"
echo "Timeout ${timeout} exceeded" >&2
kubectl --namespace "${namespace}" get pods
docker images | grep "kyverno"
kubectl --namespace "${namespace}" describe deployment "${deployment}" -o yaml
kubectl --namespace "${namespace}" logs -l app=kyverno
kill "${wait_pid}"
}