diff --git a/.travis.yml b/.travis.yml index b54baac153..27b31b021f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -31,6 +31,6 @@ after_success: if [ $TRAVIS_PULL_REQUEST == 'false' ] then docker login -u $DOCKER_USER -p $DOCKER_PASSWORD -# make docker-publish-initContainer -# make docker-publish-kyverno + make docker-publish-initContainer + make docker-publish-kyverno fi \ No newline at end of file diff --git a/definitions/install.yaml b/definitions/install.yaml index e0a00d8032..7c7d1fe95e 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -257,6 +257,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: @@ -333,6 +336,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: @@ -415,6 +421,16 @@ subjects: name: kyverno-service-account namespace: kyverno --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: policyviolation +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- apiVersion: v1 kind: ConfigMap metadata: @@ -447,7 +463,7 @@ spec: image: nirmata/kyvernopre:latest containers: - name: kyverno - image: nirmata/kyverno:v1.0.0 + image: nirmata/kyverno:latest args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" # customize webhook timout diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index de92de67f1..c2303c28c5 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -257,6 +257,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: @@ -333,6 +336,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: diff --git a/definitions/rolebinding.yaml b/definitions/rolebinding.yaml new file mode 100644 index 0000000000..b8240c0014 --- /dev/null +++ b/definitions/rolebinding.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: policyviolation + # change namespace below to create rolebinding for the namespace admin + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: policyviolation +subjects: +# configure below to access policy violation for the namespace admin +- kind: ServiceAccount + name: default + namespace: default +# - apiGroup: rbac.authorization.k8s.io +# kind: User +# name: +# - apiGroup: rbac.authorization.k8s.io +# kind: Group +# name: \ No newline at end of file diff --git a/documentation/installation.md b/documentation/installation.md index 9ec9fd8273..9c470afca4 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -81,7 +81,7 @@ Kyverno uses secrets created above to setup TLS communication with the kube-apis To install a specific version, change the image tag with git tag in `install.yaml`. -e.g., change image tag from `latest` to the specific tag `v0.3.0`. +e.g., change image tag from `latest` to the specific tag `v1.0.0`. >>> spec: containers: @@ -112,6 +112,14 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) +# Configure a namespace admin to access policy violations + +During Kyverno installation, it creates a ClusterRole `policyviolation` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure [definitions/rolebinding.yaml](../definitions/rolebinding.yaml) then apply to the cluster. + +- Replace `metadata.namespace` with namespace of the admin +- Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation` + + # Installing outside of the cluster (debug mode) To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index febfb43739..9e0afec396 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -228,7 +228,6 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { // mutating webhook configuration for verifying webhook go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) - go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) // wait for the removal go routines to return wg.Wait() } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index e861d3b162..1b5dd58c5f 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -118,10 +118,9 @@ func NewWebhookServer( } mux := http.NewServeMux() mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve) + mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve) mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve) mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve) - ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests TLSConfig: &tlsConfig,