From 81a0cc4f45e305f044c01e3b18ebed67f7e93f87 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 12 Dec 2019 15:19:48 -0800 Subject: [PATCH 1/8] add age column to pv printer --- definitions/install.yaml | 6 ++++++ definitions/install_debug.yaml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/definitions/install.yaml b/definitions/install.yaml index 8841baa74b..6776c8585b 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -257,6 +257,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: @@ -333,6 +336,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index de92de67f1..c2303c28c5 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -257,6 +257,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: @@ -333,6 +336,9 @@ spec: type: string description: The resource name that caused the violation JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: From 03ee0486df57eca9c3a484a1e94580b955f8c026 Mon Sep 17 00:00:00 2001 From: Shivkumar Dudhani Date: Thu, 12 Dec 2019 17:41:17 -0800 Subject: [PATCH 2/8] uncomment CI targets (#552) --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index b54baac153..27b31b021f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -31,6 +31,6 @@ after_success: if [ $TRAVIS_PULL_REQUEST == 'false' ] then docker login -u $DOCKER_USER -p $DOCKER_PASSWORD -# make docker-publish-initContainer -# make docker-publish-kyverno + make docker-publish-initContainer + make docker-publish-kyverno fi \ No newline at end of file From 782916b7e89183aa6229be4d35130c9b953b12e1 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 12 Dec 2019 17:45:02 -0800 Subject: [PATCH 3/8] add clusterrole to access policyviolation --- definitions/install.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/definitions/install.yaml b/definitions/install.yaml index 6776c8585b..7c7d1fe95e 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -421,6 +421,16 @@ subjects: name: kyverno-service-account namespace: kyverno --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: policyviolation +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- apiVersion: v1 kind: ConfigMap metadata: From bc19f408bd97e785edc4e5254e17d85d07bec00e Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 12 Dec 2019 17:46:35 -0800 Subject: [PATCH 4/8] add rolebinding manifest for a ns admin --- definitions/rolebinding.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 definitions/rolebinding.yaml diff --git a/definitions/rolebinding.yaml b/definitions/rolebinding.yaml new file mode 100644 index 0000000000..b8240c0014 --- /dev/null +++ b/definitions/rolebinding.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: policyviolation + # change namespace below to create rolebinding for the namespace admin + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: policyviolation +subjects: +# configure below to access policy violation for the namespace admin +- kind: ServiceAccount + name: default + namespace: default +# - apiGroup: rbac.authorization.k8s.io +# kind: User +# name: +# - apiGroup: rbac.authorization.k8s.io +# kind: Group +# name: \ No newline at end of file From e066be3efa83a6a294930654022d06e093e95156 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 12 Dec 2019 18:02:54 -0800 Subject: [PATCH 5/8] update installation.md --- documentation/installation.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index 9ec9fd8273..9c470afca4 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -81,7 +81,7 @@ Kyverno uses secrets created above to setup TLS communication with the kube-apis To install a specific version, change the image tag with git tag in `install.yaml`. -e.g., change image tag from `latest` to the specific tag `v0.3.0`. +e.g., change image tag from `latest` to the specific tag `v1.0.0`. >>> spec: containers: @@ -112,6 +112,14 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) +# Configure a namespace admin to access policy violations + +During Kyverno installation, it creates a ClusterRole `policyviolation` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure [definitions/rolebinding.yaml](../definitions/rolebinding.yaml) then apply to the cluster. + +- Replace `metadata.namespace` with namespace of the admin +- Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation` + + # Installing outside of the cluster (debug mode) To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building From 625e45c847dd0e76180e0154f128fe6dea2903a7 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 12 Dec 2019 18:55:40 -0800 Subject: [PATCH 6/8] remove duplicate code --- pkg/webhookconfig/registration.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index febfb43739..9e0afec396 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -228,7 +228,6 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { // mutating webhook configuration for verifying webhook go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) - go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) // wait for the removal go routines to return wg.Wait() } From 793d878b18e5eec088518a95eab41321623cfd05 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Fri, 13 Dec 2019 11:13:58 -0800 Subject: [PATCH 7/8] correct webhook endpoint --- pkg/webhooks/server.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index e861d3b162..1b5dd58c5f 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -118,10 +118,9 @@ func NewWebhookServer( } mux := http.NewServeMux() mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve) + mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve) mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve) mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve) - ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests TLSConfig: &tlsConfig, From 337e0f7d1d6985b5683ddb7b7a42df0ef8130708 Mon Sep 17 00:00:00 2001 From: Shivkumar Dudhani Date: Fri, 13 Dec 2019 11:22:22 -0800 Subject: [PATCH 8/8] update image tag to latest (#556) --- definitions/install.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index 38bf9b8225..7c7d1fe95e 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -463,7 +463,7 @@ spec: image: nirmata/kyvernopre:latest containers: - name: kyverno - image: nirmata/kyverno:v1.0.0 + image: nirmata/kyverno:latest args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" # customize webhook timout