Merge branch 'master' into 529_query

2025-03-31 03:45:17 +00:00 · 2019-12-17 16:22:00 -08:00 · 2019-12-17 16:22:00 -08:00 · 615f1ae940
commit 615f1ae940
parent 38987d50c3 337e0f7d1d
7 changed files with 56 additions and 7 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -31,6 +31,6 @@ after_success:
   if [ $TRAVIS_PULL_REQUEST == 'false' ]
   then
     docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
-#     make docker-publish-initContainer
-#     make docker-publish-kyverno
+    make docker-publish-initContainer
+    make docker-publish-kyverno
   fi
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -257,6 +257,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -333,6 +336,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -415,6 +421,16 @@ subjects:
  name: kyverno-service-account
  namespace: kyverno
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: policyviolation
+rules:
+- apiGroups: ["kyverno.io"]
+  resources:
+  - policyviolations
+  verbs: ["get", "list", "watch"]
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -447,7 +463,7 @@ spec:
          image: nirmata/kyvernopre:latest
      containers:
        - name: kyverno
-          image: nirmata/kyverno:v1.0.0
+          image: nirmata/kyverno:latest
          args:
          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
          # customize webhook timout
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -257,6 +257,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -333,6 +336,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
--- a/definitions/rolebinding.yaml
+++ b/definitions/rolebinding.yaml
@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: policyviolation
+  # change namespace below to create rolebinding for the namespace admin
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: policyviolation
+subjects:
+# configure below to access policy violation for the namespace admin
+- kind: ServiceAccount
+  name: default
+  namespace: default
+# - apiGroup: rbac.authorization.k8s.io
+#   kind: User
+#   name: 
+# - apiGroup: rbac.authorization.k8s.io
+#   kind: Group
+#   name: 
--- a/documentation/installation.md
+++ b/documentation/installation.md
@ -81,7 +81,7 @@ Kyverno uses secrets created above to setup TLS communication with the kube-apis

 To install a specific version, change the image tag with git tag in `install.yaml`.

-e.g., change image tag from `latest` to the specific tag `v0.3.0`.
+e.g., change image tag from `latest` to the specific tag `v1.0.0`.
 >>>
    spec:
      containers:
@ -112,6 +112,14 @@ kubectl logs <kyverno-pod-name> -n kyverno
 Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)


+# Configure a namespace admin to access policy violations
+
+During Kyverno installation, it creates a ClusterRole `policyviolation` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure [definitions/rolebinding.yaml](../definitions/rolebinding.yaml) then apply to the cluster.
+
+- Replace `metadata.namespace` with namespace of the admin
+- Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation`
+
+
 # Installing outside of the cluster (debug mode)

 To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -228,7 +228,6 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	// mutating webhook configuration for verifying webhook
 	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)

-	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)
 	// wait for the removal go routines to return
 	wg.Wait()
 }
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -118,10 +118,9 @@ func NewWebhookServer(
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
 	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
 	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
-
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,